GCP 工作负载身份联合 - Github 提供商 - 'Unable to acquire impersonated credentials'
GCP workload identity federation - Github provider - 'Unable to acquire impersonated credentials'
我已严格遵守 these instructions 允许我使用短期令牌身份验证方法从我们的 github 操作工作流访问 gcloud 资源。
我已经使用上面的确切说明创建了服务帐户、工作负载身份池和 github 提供程序池,但似乎授权步骤没有获得正确的令牌(或任何令牌全部)。 GCP 服务帐户具有正确的 IAM 权限。
在 gcloud compute instances list 步骤中,我收到错误消息:
ERROR: (gcloud.compute.instances.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
Please run:
$ gcloud auth login
to obtain new credentials.
我的github动作文件如下:
jobs:
backup:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: 'Checkout code'
uses: actions/checkout@v3
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/*******/locations/global/workloadIdentityPools/**REDACTED**/providers/github-provider'
service_account: '**REDACTED**@**REDACTED**.iam.gserviceaccount.com'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: 'Use gcloud CLI'
run: gcloud compute instances list
我启用了 logging for the token exchange,我也可以在 GCP 日志中看到它发生(没有明显错误)。所以我完全被难住了。
有什么想法吗?
所以后来才知道这是什么东西。尽管 运行:
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--role=roles/iam.workloadIdentityUser \
--member="MEMBER_EXPRESSION"
作为 per the docs,它没有授予权限 - 我进入控制台并检查了“连接的服务帐户”菜单(左侧)下的工作负载身份池,但服务帐户不在其中,所以我手动添加了它。
我已严格遵守 these instructions 允许我使用短期令牌身份验证方法从我们的 github 操作工作流访问 gcloud 资源。
我已经使用上面的确切说明创建了服务帐户、工作负载身份池和 github 提供程序池,但似乎授权步骤没有获得正确的令牌(或任何令牌全部)。 GCP 服务帐户具有正确的 IAM 权限。
在 gcloud compute instances list 步骤中,我收到错误消息:
ERROR: (gcloud.compute.instances.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
Please run:
$ gcloud auth login
to obtain new credentials.
我的github动作文件如下:
jobs:
backup:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: 'Checkout code'
uses: actions/checkout@v3
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/*******/locations/global/workloadIdentityPools/**REDACTED**/providers/github-provider'
service_account: '**REDACTED**@**REDACTED**.iam.gserviceaccount.com'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: 'Use gcloud CLI'
run: gcloud compute instances list
我启用了 logging for the token exchange,我也可以在 GCP 日志中看到它发生(没有明显错误)。所以我完全被难住了。
有什么想法吗?
所以后来才知道这是什么东西。尽管 运行:
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--role=roles/iam.workloadIdentityUser \
--member="MEMBER_EXPRESSION"
作为 per the docs,它没有授予权限 - 我进入控制台并检查了“连接的服务帐户”菜单(左侧)下的工作负载身份池,但服务帐户不在其中,所以我手动添加了它。