google-github-actions
gsutil isn't authenticated
TL;DR
gsutil isn't authenticated even though the docs mention it is possible
Expected behavior
gsutil is authenticated
Observed behavior
I get the error "401 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket."
Action YAML
name: Docs build & upload
on:
push:
branches:
- main
env:
GCS_DEST: gs://...
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: "google cloud auth"
uses: "google-github-actions/auth@v2"
with:
credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
- name: publish
if: ${{ github.ref == 'refs/heads/main' }}
run: |
gsutil -m rsync -x 'compiled/.*$|.*\.msgpack$' -R -r target ${{ env.GCS_DEST }}
Log output
No response
Additional information
No response
Hi there @pvanderlinden :wave:!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @pvanderlinden - I'm not seeing where you're using gsutil in your example, did you mean gcloud? You need to use google-github-actions/setup-gcloud@v2 to install and configure gcloud.
Hi @pvanderlinden - I'm not seeing where you're using
gsutilin your example, did you meangcloud? You need to usegoogle-github-actions/setup-gcloud@v2to install and configure gcloud.
Sorry, apparently I posted the version with the work around: using gcloud storage instead of gsutil works. I adjusted the example, as I tried it originally. gcloud and gsutil already are pre installed on the github actions image. Is gcloud storage going to replace gsutil? If so, it might be good to mention in the docs someone should use gcloud storage instead of gsutil as the second doesn't work (while it currently says it does).
Hi @pvanderlinden, as noted in the README prerequisites, you must use gcloud/gsutil version 390.0.0 or later. We don't control which version of gcloud/gsutil is pre-installed on the GitHub Actions managed runners, and it may be older than the supported version.
According to the documentation it's uptodate enough. https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#cli-tools
I was going to double check, but github has some issues at the moment, and the workflow doesn't run.
Hi @pvanderlinden, as noted in the README prerequisites, you must use gcloud/gsutil version 390.0.0 or later. We don't control which version of gcloud/gsutil is pre-installed on the GitHub Actions managed runners, and it may be older than the supported version.
I just double checked. This is the result of running the command in a github actions workflow:
> gcloud --version
Google Cloud SDK 469.0.0
alpha 2024.03.15
beta 2024.03.15
bq 2.1.1
bundled-python3-unix 3.11.8
core 2024.03.15
gcloud-crc32c 1.0.0
gsutil 5.27
You still need actions/setup-gcloud (you can set install: false to bypass installation), because something has to run gcloud auth login...
You still need
actions/setup-gcloud(you can setinstall: falseto bypass installation), because something has to rungcloud auth login...
Isn't this what the "auth" action is supposed to do? It authenticates gcloud utilities (except gsutil/bq apparently)
- name: "google cloud auth"
uses: "google-github-actions/auth@v2"
with:
credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
The auth action creates credentials files and exports environment variables. Unfortunately gcloud (and gsutil and bq) do not read any environment variables to source their authentication. auth can't run the commands to authenticate those tools because it doesn't install them on the system (and can't guarantee they are installed (e.g. self-hosted runners)).
The
authaction creates credentials files and exports environment variables. Unfortunatelygcloud(andgsutilandbq) do not read any environment variables to source their authentication.authcan't run the commands to authenticate those tools because it doesn't install them on the system (and can't guarantee they are installed (e.g. self-hosted runners)).
Thanks. This explains the issue. However, the current auth action actually authenticates the cli tool gcloud (as otherwise my work around wouldn't work) , but not gsutil and bq. This makes this action confusing, especially with the documentation saying "To use the bq or gsutil tools, use the Google Cloud SDK version 390.0.0 or newer.". I think it would enhance the documentation by a lot if it is actually mentioned in the documentation you need the setup actions as well to use these tools.
auth does not authenticate gcloud. setup-gcloud authenticates gcloud with the credentials from auth.
Sorry @sethvargo I got a bit sidetracked on this issue. It does answer my question.
However, I think the behavior is not really clear in the documentation:
authsounds like it would authenticate gcloud, and it's related tools. Not that you need an extra step for this- it even mentions it should now work for newer versions of bq/gsutil
- it doesn't mention anywhere that you need the
setup-gcloudfor the actual authentication - to add to the confusion, it usually works for any other
gcloudcommands, withoutsetup-gcloud
auth sets up the environment, specifically Application Default Credentials. If tools honor those, they are used. Otherwise, special authentication steps are needed.
authsets up the environment, specifically Application Default Credentials. If tools honor those, they are used. Otherwise, special authentication steps are needed.
I do understand that after the explanation in this ticket. But as I explained, the docs aren't clear about this, especially by mentioning that bq/gsutil should work with never versions.
Hi @sethvargo I'm running into the same issue as @pvanderlinden, and i agree the docs aren't clear on how to get gsutil working. I used gcloud storage and it worked, but that has limitations which should probably be noted
@Ben-Epstein - can you run gsutil --version, gcloud --version, which gcloud, and which gsutil and share the output please? If gcloud is working and gsutil is not, then that means the binaries might be pointing to different installations.
@sethvargo Here you go
gsutil version: 5.30
/usr/bin/gsutil
Google Cloud SDK 487.0.0 alpha 2024.08.06 beta 2024.08.06 bq 2.1.7 bundled-python3-unix 3.11.9 core 2024.08.06 gcloud-crc32c 1.0.0 gsutil 5.30
/usr/bin/gcloud
And this is essentially my entire workflow
- uses: actions/checkout@v4
- name: setup gcloud
uses: 'google-github-actions/auth@v2'
with:
project_id: '<REDACTED>'
workload_identity_provider: '<REDACTED>'
- name: get versions
run: |
echo $(gsutil --version)
echo $(which gsutil)
echo $(gcloud --version)
echo $(which gcloud)
Hmm that's so weird because I'm running the exact same version of gsutil locally and it seems to respect GOOGLE_APPLICATION_CREDENTIALS. Let me dig in more.
Hey folks - I heard back to the engineering team, and they confirmed that gsutil does not respect this credential method. Per the public Google Cloud documentation, the recommended path is to use gcloud storage instead.
fwiw gsutil definitely uses the auth in this action as of >= 507.0.0' which is what I am using right now. It works out of the box. I think we could update the readme again.
- name: authenticate to gcp with workload identity for ${{ matrix.environment }}
uses: google-github-actions/auth@v2
with:
workload_identity_provider: xxxxx
service_account: xxxxx
- name: set up google cloud sdk
uses: 'google-github-actions/setup-gcloud@v2'
with:
version: '>= 507.0.0'
Hi @ElijahLynn: If I understood correctly, the rest of the conversation, as soon as you used 'google-github-actions/setup-gcloud@v2' you fixed the problem.
