TL;DR
I am trying to use this extension for a different universe than GCP, and to do so I need:
- to set the correct universe for APIs
- to pass a custom audience as that still needs to refer to
googleapis.com
While the universe setting is correctly managed, the audience seems to be ignored.
Expected behavior
The expected behaviour is that the initial token is validated against the universe-aware WIF provider id, but contains the audience using googleapis.com.
Observed behavior
Provider audience (set to default): https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-default
Just setting the universe produces this error (wrong audience used):
Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.apis-berlin-build0.goog/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-default: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
Setting the universe and forcing the audience to googleapis produces the same error:
Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.apis-berlin-build0.goog/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-default: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
Debug log for second scenario (universe+audience) is at the bottom.
Action YAML
First case (only universe set):
- id: gcp-auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v3
with:
workload_identity_provider: ${{env.FAST_WIF_PROVIDER}}
service_account: ${{env.service_account}}
universe: apis-berlin-build0.goog
access_token_lifetime: 900sSecond case (audience set):
- id: gcp-auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v3
with:
workload_identity_provider: ${{env.FAST_WIF_PROVIDER}}
service_account: ${{env.service_account}}
universe: apis-berlin-build0.goog
access_token_lifetime: 900s
audience: https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-defaultLog output
Debug log for second (correct, but failing) case.
##[debug]WorkloadIdentityFederationClient.getToken: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://sts.apis-berlin-build0.goog/v1/token",
##[debug] "headers": {},
##[debug] "body": {
##[debug] "audience": "//iam.apis-berlin-build0.goog/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-default",
##[debug] "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
##[debug] "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
##[debug] "scope": "https://www.apis-berlin-build0.goog/auth/cloud-platform",
##[debug] "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
##[debug] "subjectToken": "***"
##[debug] }
##[debug]}
Additional information
Feel free to reach out internally if you need more details or an environment to test this.
TL;DR
I am trying to use this extension for a different universe than GCP, and to do so I need:
googleapis.comWhile the universe setting is correctly managed, the audience seems to be ignored.
Expected behavior
The expected behaviour is that the initial token is validated against the universe-aware WIF provider id, but contains the audience using
googleapis.com.Observed behavior
Provider audience (set to default):
https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/cicd-0/providers/github-defaultJust setting the universe produces this error (wrong audience used):
Setting the universe and forcing the audience to
googleapisproduces the same error:Debug log for second scenario (universe+audience) is at the bottom.
Action YAML
First case (only universe set):
Second case (audience set):
Log output
Debug log for second (correct, but failing) case.
Additional information
Feel free to reach out internally if you need more details or an environment to test this.