v0.3.1 - error code 403 The Caller Does Not Have Permission about auth HOT 11 CLOSED

Hi @ssay-work - did you see the upgrade notes for 0.3.1?

from auth.

Yes, I did -- version 0.3.1 was the only version we started with (two weeks ago).

from auth.

Hi @ssay-work - I just checked and my workflows are still running fine. Can you share the full run output? If this is a public repo, can you point me to the workflow run? It would also be helpful to have the output of:

gcloud iam workload-identity-pools providers describe github-actions-provider --location global --workload-identity-pool github-actions-pool

from auth.

Unfortunately this is a private repo.

here is the output of the command:

attributeMapping:
  attribute.actor: assertion.actor
  attribute.aud: assertion.aud
  attribute.repository: assertion.repository
  google.subject: assertion.sub
displayName: Github provider
name: projects/#########/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE

I can go through the readme setups steps again. We did not change anything in the last two weeks when this last worked and it wasnt readily apparent to me what the issue is.

Is there anything else I can check?

from auth.

How is your IAM policy configured? Sorry - it's rather difficult to debug without understanding the complete setup or seeing the complete output. There should be text before that error that says something like "failed to generate Google Cloud federated token" or a hint as to where the invocation is failing.

from auth.

Full error output

Action failed with error: Error: failed to generate Google Cloud access token for github-actions@########.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

the service account has all the privs granted to it as stated from the readme, including additional roles that we gave it during our initial phase.

from auth.

Hi @ssay-work

That tells me that the OIDC exchange was successful (you successfully minted a GitHub OIDC token and exchanged it for a Google Cloud Federated Token), but then the resulting Federated Token did not have permissions to generate an OAuth 2.0 Access Token from the authentication.

Does your principal have roles/iam.workloadIdentityUser permissions on github-actions@########.iam.gserviceaccount.com? What are your IAM bindings?

from auth.

yes it does. Results of this query:
gcloud iam service-accounts get-iam-policy "github-actions@${PROJECT_ID}.iam.gserviceaccount.com"

bindings:
- members:
  - principalSet://iam.googleapis.com/projects/########/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/agero-private/*
  role: roles/iam.workloadIdentityUser
etag: XXXXXXXX
version: 1

from auth.

Are you able to confirm that the attribute.repository value is being mapped correctly? I think it would be better to map against repository_owner instead of using the splat here.

from auth.

I believe it is correct, but let me update this to repository_owner and I'll report back.

from auth.

adding the binding for repository_owner worked.

I appreciate the response on this.

from auth.