Cannot access Google Cloud Storage bucket from GitHub Actions Workflow
I have the Django test case test_retrieve_bucket to test access to a GCP storage bucket.
from django.test import SimpleTestCase, TestCase
from google.cloud import storage
class DemoTest(TestCase):
def setUp(self):
self.expense = Expense.objects.create(
invoice_number = "ABC",
account_number = "123",
customer_name = "XYZ",
invoice_amount = 12.50,
invoice_date = datetime.now()
)
def test1(self):
return self.expense.invoice_number == "ABC"
def test2(self):
return self.expense.account_number == "123"
def test3(self):
return self.expense.customer_name == "XYZ"
def test_retrieve_bucket(self):
bucket = "test_bucket_8866"
client = storage.Client()
bucket = client.bucket(bucket)
return self.assertTrue(bucket.exists())
However, the test fails, and this is the error I am receiving:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/test_bucket_8866?fields=name&prettyPrint=false: test-service-account@tbi-finance.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).
I successful authenticated the service account with Workload Identity Federation in the previous step:
The service account I used also has Storage Object Admin permission, which should give me access to the bucket:
Here is my workflow file:
name: Django CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
max-parallel: 4
matrix:
python-version: [3.12.4]
steps:
- uses: actions/checkout@v4
- name: auth
uses: google-github-actions/auth@v2.0.0
with:
workload_identity_provider: 'projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/providers/github-cdci'
service_account: 'test-service-account@tbi-finance.iam.gserviceaccount.com'
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- name: Install Dependencies
run: |
pip install pipenv && pipenv install --system
- name: Run Tests
run: |
python manage.py test
permissions:
contents: 'read'
id-token: 'write'
When I ran the Django tests locally with the service account above, all of the tests passed. Is there anything else I'm missing?
Edit: This was the command I used to add the role WorkloadIdentityUser to Workload Identity Pool:
gcloud iam service-accounts add-iam-policy-binding "test-service-account@tbi-finance.iam.gserviceaccount.com" \
--project="tbi-finance" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/334572487877/locations/global/workloadIdentityPools/learn-github-actions-pool/attribute.repository/duybtr/django_cdci"
I was able to get a repro of your solution working but....Oh boy!
In the interests of simplicity, I'm going to enumerate the various resources that I created and I hope that you're able to infer the difference that get you working.
Per this comment I encourage you to add:
- the GitHub OIDC Debugger after
checkout
and beforeauth
token_format: access_token
(if not already)
steps:
- name: checkout
uses: actions/checkout@v4
- name: oidc-debugger
uses: github/actions-oidc-debugger@main
with:
audience: https://iam.googleapis.com/{PROVIDER}
- name: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: {PROVIDER}
service_account: {EMAIL}
create_credentials_file: true
token_format: access_token
Be wary of red-herrings. I received a different error than you but this is the result of misconfiguration and not because the Google Project's IAM was incorrect:
Error: google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for ${EMAIL}:
{
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
Pool
gcloud iam workload-identity-pools describe ${POOL} \
--project="${PROJECT}" \
--location="global"
displayName: GitHub Actions Pool
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}
state: ACTIVE
Provider
gcloud iam workload-identity-pools providers describe ${PROVIDER} \
--project=${PROJECT} \
--location="global" \
--workload-identity-pool=${POOL}
attributeCondition: assertion.repository_owner=="{OWNER}" && assertion.repository=="{OWNER}/{REPO}"
attributeMapping:
attribute.actor: assertion.actor
attribute.repository: assertion.repository
attribute.repository_owner: assertion.repository_owner
google.subject: assertion.sub
displayName: {PROVIDER}
name: projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
Project IAM
gcloud projects get-iam-policy ${PROJECT}
bindings:
- members:
- serviceAccount:{EMAIL}
role: roles/iam.serviceAccountTokenCreator
- members:
- user:{ME}
role: roles/owner
- members:
- serviceAccount:{EMAIL}
role: roles/storage.admin
etag: [REDACTED]
version: 1
NOTE Per my comment, there's no
roles/iam.workloadIdentityUser
on the Project's policy; this role is present on the Service Account's policy
Service Account IAM
gcloud iam service-accounts get-iam-policy ${EMAIL}
bindings:
- members:
- principalSet://iam.googleapis.com/projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/attribute.repository/{OWNER}/{REPO}
role: roles/iam.workloadIdentityUser
etag: [REDACTED]
version: 1
Variables
Name | Value |
---|---|
ACCOUNT |
Service Account |
EMAIL |
Service Account email address: ${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com |
ME |
My Google account |
NUMBER |
Google Cloud Project number |
OWNER |
GitHub User Account or ${ORG} |
POOL |
Workload Identity Pool |
PROJECT |
Google Cloud Project ID |
PROVIDER |
Workload Identity Provider |
REPO |
GitHub repo name |