在github操作中,我正在运行一个操作,该操作试图使用github到GCP联合id:
# see https://github.com/marketplace/actions/authenticate-to-google-cloud#setup
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/1234/locations/global/workloadIdentityPools/my-github-pool/providers/my-github-oidc-provider'
service_account: 'my-github-sa@projxyz.iam.gserviceaccount.com'
我得到:
Run google-github-actions/auth@v0
Error: google-github-actions/auth failed with: retry function failed after 1 attempt:
gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or
$ACTIONS_ID_TOKEN_REQUEST_URL into this job.
This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork.
For more information, please see https://docs.github.com/en/actions/security-guides/automatic-
token-authentication#permissions-for-the-github_token
我正在看参考文档,但没有看到任何有用的东西。
如何让GH注入这些值?
我需要添加:
jobs:
my_job:
# Need to add these 3 lines to add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
此处记录了这一点:https://github.com/google-github-actions/auth#usage
对我来说,我缺少的是
- 确保workload_identity_provider的值是完整的提供程序名称,而不是池名称:
- projects/NUMBER/locations/global/workloadIdentityPools/POOL
+ projects/NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER
- 需要拥有权限
permissions:
contents: 'read'
id-token: 'write'
看看这个https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md