I'm using deploy-cloud-functions GitHub Action to deploy a Cloud Function. I've successfully deployed one Cloud Function using it but a second one (using the same service account, in the same project, using the same workflow) is producing an error:
Run google-github-actions/deploy-cloud-functions@v0
Extracted project ID 'my-project' from $GCLOUD_PROJECT
Created zip file from './' at '/tmp/cfsrc-50378e4a065cfb06ed27a123.zip'
Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
To confirm, all services have been enabled and I have created a new service account and assigned it both the iam.serviceAccountUser role and the iam.cloudFunctionsDeveloper role on the project -- in line with the authorization guidelines.
I've also setup Workload Identity Federation and am using that for authentication between GitHub and GCP.
Creating a pool:
gcloud iam workload-identity-pools create github-pool \
--location="global" \
--display-name="GitHub pool"
And a provider:
gcloud iam workload-identity-pools providers create-oidc github-provider \
--location='global' \
--workload-identity-pool=github-pool \
--display-name='GitHub provider' \
--attribute-mapping='google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository' \
--issuer-uri='https://token.actions.githubusercontent.com'
And allowed impersonation of the service account:
gcloud iam service-accounts add-iam-policy-binding \
github-actions-sa@my-project.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/1234567891234/locations/global/workloadIdentityPools/github-pool/attribute.repository/my-org/my-repo"
The GitHub Actions workflow I'm using is:
name: CD
on:
push:
branches: [main]
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: "Checkout repository"
uses: actions/checkout@v3
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: "projects/1234567891234/locations/global/workloadIdentityPools/github-pool"
service_account: "github-actions-sa@my-project.iam.gserviceaccount.com"
- id: "deploy"
uses: "google-github-actions/deploy-cloud-functions@v0"
with:
name: "my-function"
runtime: "python310"
entry_point: "main"
region: "europe-west6"
service_account_email: github-actions-sa@my-project.iam.gserviceaccount.com
I can't figure out why this function with the same service account in the same project is failing with a permissions error whilst another function works using the same setup.
Can anyone suggest how I may resolve the permissions issue?
The problem was due to my --attribute-mapping when creating the provider. In my case I wanted to deploy from multiple GitHub repositories (under one organization) using a single GitHub provider. By mapping the following attributes I limited access to only my personal GitHub account and one particular repository:
attribute.actor=assertion.actor - The personal GitHub account that initiated the workflowattribute.repository=assertion.repository - The repository from where the workflow is running.I recreated the provider using repository_owner instead:
--attribute-mapping="google.subject=assertion.sub,attribute.repository_owner=assertion.repository_owner"
repository_owner - The name of the organization in which the repository is stored.You need to wait up to 5 minutes for the permissions to update. After that my Cloud Function was successfully deployed.
The available claims on the GitHub OIDC token are listed here.