nektos
Make GCP Workload Identity work with act
Act version
0.2.60
Feature description
GCP Recommends not to use a Service account, and we are trying to implement workload identity.
steps:
- uses: actions/checkout@v4
- name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2"
with:
workload_identity_provider: "projects/some/locations/global/workloadIdentityPools/some-gh-pool/providers/some-gh-provider"
service_account: "[email protected]"
the process works well in Github action but in act I see
[GCP - Rocky 8/GCP-VM-DEPLOY] ❗ ::error::google-github-actions/auth failed with: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
am I missing some variables ?
# GCP auth is for getting secrets from secret manager.
# download-introspection-json.ts requires a secret to make the request.
- if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' }}
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider"
service_account: "github-action@<projectname>.iam.gserviceaccount.com"
Or you could use GOOGLE_APPLICATION_CREDENTIALS, but if you try to use either, you need to be cautious, since splitting multiline GitHub Actions statements runs through all the vagaries of it's partial YAML support, JavaScript syntax, Shell syntax, and other oddities so that way lies madness. See here: https://github.com/orgs/community/discussions/25641#discussioncomment-11142107
So I think this is correct:
# GCP auth is for getting secrets from secret manager.
# download-introspection-json.ts requires a secret to make the request.
- if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' && env.GOOGLE_APPLICATION_CREDENTIALS == ''}}
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider"
service_account: "github-action@<projectname>.iam.gserviceaccount.com"
- if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN != '' || env.GOOGLE_APPLICATION_CREDENTIALS != ''}}
name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
Then you could expose one of these to act like this:
export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$CLOUDSDK_AUTH_ACCESS_TOKEN" -j <action_name>
or
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/Downloads/service-account-file.json"
act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$GOOGLE_APPLICATION_CREDENTIALS" -j <action_name>
See more details here: https://github.com/google-github-actions/auth/issues/401
Your action workflow will also need a redundant copy of the google-github-actions/auth@v2 for the non-workload identity federation case where it gets the credentials from either of those environment variables with an inverted if.
