Cannot access Google Cloud Storage bucket from GitHub Actions Workflow
I have the Django test case test_retrieve_bucket to test access to a GCP storage bucket.
from django.test import SimpleTestCase, TestCase
from google.cloud import storage
class DemoTest(TestCase):
def setUp(self):
self.expense = Expense.objects.create(
invoice_number = "ABC",
account_number = "123",
customer_name = "XYZ",
invoice_amount = 12.50,
invoice_date = datetime.now()
)
def test1(self):
return self.expense.invoice_number == "ABC"
def test2(self):
return self.expense.account_number == "123"
def test3(self):
return self.expense.customer_name == "XYZ"
def test_retrieve_bucket(self):
bucket = "test_bucket_8866"
client = storage.Client()
bucket = client.bucket(bucket)
return self.assertTrue(bucket.exists())
However, the test fails, and this is the error I am receiving:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/test_bucket_8866?fields=name&prettyPrint=false: test-service-account@tbi-finance.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).
I successful authenticated the service account with Workload Identity Federation in the previous step:
The service account I used also has Storage Object Admin permission, which should give me access to the bucket:
Here is my workflow file:
name: Django CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
max-parallel: 4
matrix:
python-version: [3.12.4]
steps:
- uses: actions/checkout@v4
- name: auth
uses: google-github-actions/auth@v2.0.0
with:
workload_identity_provider: 'projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/providers/github-cdci'
service_account: 'test-service-account@tbi-finance.iam.gserviceaccount.com'
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
run: |
pip install pipenv && pipenv install --system
- name: Run Tests
run: |
python manage.py test
permissions:
contents: 'read'
id-token: 'write'
When I ran the Django tests locally with the service account above, all of the tests passed. Is there anything else I'm missing?
Edit: This was the command I used to add the role WorkloadIdentityUser to Workload Identity Pool:
gcloud iam service-accounts add-iam-policy-binding "test-service-account@tbi-finance.iam.gserviceaccount.com" \
--project="tbi-finance" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/attribute.repository/duybtr/django_cdci"