Not Being Able To impersonate for Domain-Wide Delegation.

[ken5scal]

TL;DR

• Generating OAuth2.0 Access Token for Impersonating Domain-Wide Delegation fails
• Since authenticating Service Account by feeding the credentials_json runs successfully, I believe this issue is specific to Domain-Wide Delegation.
• The Service account is granted roles/iam.serviceAccountTokenCreator and roles/iam.workloadIdentityUser

Expected behavior

GitHub Action is able to retrieve an access tokens created for Domain-Wide Delegation.

Observed behavior

An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour.
Error: google-github-actions/auth failed with: failed to sign JWT using gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}

Action YAML

---
name: "[dev] fetch audit logs"

env:
  MIN_LOG_SEVERITY: DEBUG
  TZ: 'Asia/Tokyo'
  ENV: dev
  GITHUB_BRANCH: develop

on:
  # pull_request: # for debug
  workflow_dispatch:
  schedule:
    - cron: '0 10 * * *' # 1 AM JST

permissions:
  id-token: write
  contents: read

jobs:
  fetch-audit-log:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: 'google-workspace'
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: ${{ env.GITHUB_BRANCH }}
      - id: google-auth 
        # This one successfully runs
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_TMP }}'
      - id: google-auth-2
        # This one successfully runs
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: 'projects/{{PROJECT_ID}}/locations/global/workloadIdentityPools/${{POOL_NAME}}/providers/${{PROVIDER_NAME}}'
          service_account:  'gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com'
      - id: google-auth-3
        # This one fails
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          token_format: 'access_token'
          workload_identity_provider: 'projects/{{PROJECT_ID}}/locations/global/workloadIdentityPools/${{POOL_NAME}}/providers/${{PROVIDER_NAME}}'
          service_account:  'gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com'
#           access_token_scopes: 'https://www.googleapis.com/auth/admin.reports.audit.readonly'
          access_token_subject: 'sa@example.com' # email address in GWS

Log output

2022-05-13T12:29:40.1623907Z Requested labels: ubuntu-latest
2022-05-13T12:29:40.1623966Z Job defined at: ${{ORG}}/${{REPO}}/.github/workflows/fetch-audit-log_dev.yml@refs/heads/github-action-google-auth
2022-05-13T12:29:40.1623990Z Waiting for a runner to pick up this job...
2022-05-13T12:29:40.4800233Z Job is waiting for a hosted runner to come online.
2022-05-13T12:29:45.2868962Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-05-13T12:29:50.0707577Z Current runner version: '2.291.1'
2022-05-13T12:29:50.0739564Z ##[group]Operating System
2022-05-13T12:29:50.0740593Z Ubuntu
2022-05-13T12:29:50.0740952Z 20.04.4
2022-05-13T12:29:50.0741264Z LTS
2022-05-13T12:29:50.0741638Z ##[endgroup]
2022-05-13T12:29:50.0742052Z ##[group]Virtual Environment
2022-05-13T12:29:50.0742555Z Environment: ubuntu-20.04
2022-05-13T12:29:50.0742991Z Version: 20220508.1
2022-05-13T12:29:50.0743697Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220508.1/images/linux/Ubuntu2004-Readme.md
2022-05-13T12:29:50.0744460Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220508.1
2022-05-13T12:29:50.0745062Z ##[endgroup]
2022-05-13T12:29:50.0745511Z ##[group]Virtual Environment Provisioner
2022-05-13T12:29:50.0745952Z 1.0.0.0-main-20220421-1
2022-05-13T12:29:50.0746330Z ##[endgroup]
2022-05-13T12:29:50.0747074Z ##[group]GITHUB_TOKEN Permissions
2022-05-13T12:29:50.0747728Z Contents: read
2022-05-13T12:29:50.0748302Z Metadata: read
2022-05-13T12:29:50.0748747Z ##[endgroup]
2022-05-13T12:29:50.0753317Z Secret source: Actions
2022-05-13T12:29:50.0753867Z Prepare workflow directory
2022-05-13T12:29:50.1960620Z Prepare all required actions
2022-05-13T12:29:50.2180645Z Getting action download info
2022-05-13T12:29:50.4584091Z Download action repository 'actions/checkout@v2' (SHA:7884fcad6b5d53d10323aee724dc68d8b9096a2e)
2022-05-13T12:29:50.7876931Z Download action repository 'google-github-actions/auth@v0' (SHA:b258a9f230b36c9fa86dfaa43d1906bd76399edb)
2022-05-13T12:29:50.9419977Z Download action repository 'actions/setup-go@v3' (SHA:fcdc43634adb5f7ae75a9d7a9b9361790f7293e2)
2022-05-13T12:29:51.1323807Z Download action repository 'actions/cache@v3.0.1' (SHA:136d96b4aee02b1f0de3ba493b1d47135042d9c0)
2022-05-13T12:29:51.3668058Z Download action repository 'aws-actions/configure-aws-credentials@v1.6.0' (SHA:ea7b857d8a33dc2fb4ef5a724500044281b49a5e)
2022-05-13T12:29:51.8839272Z ##[group]Run actions/checkout@v2
2022-05-13T12:29:51.8839712Z with:
2022-05-13T12:29:51.8839993Z   ref: develop
2022-05-13T12:29:51.8840310Z   repository: ${{ORG}}/${{REPO}}
2022-05-13T12:29:51.8840946Z   token: ***
2022-05-13T12:29:51.8841226Z   ssh-strict: true
2022-05-13T12:29:51.8841561Z   persist-credentials: true
2022-05-13T12:29:51.8841887Z   clean: true
2022-05-13T12:29:51.8842167Z   fetch-depth: 1
2022-05-13T12:29:51.8842464Z   lfs: false
2022-05-13T12:29:51.8842734Z   submodules: false
2022-05-13T12:29:51.8843060Z   set-safe-directory: true
2022-05-13T12:29:51.8843368Z env:
2022-05-13T12:29:51.8843655Z   MIN_LOG_SEVERITY: DEBUG
2022-05-13T12:29:51.8843958Z   TZ: Asia/Tokyo
2022-05-13T12:29:51.8844211Z   ENV: dev
2022-05-13T12:29:51.8844495Z   GITHUB_BRANCH: develop
2022-05-13T12:29:51.8844815Z   AWS_ACCOUNT_ID: xxxxxxx
2022-05-13T12:29:51.8845390Z   AWS_ASSUME_ROLE: xxxxxxx
2022-05-13T12:29:51.8845989Z   GO_VERSION: 1.17.2
2022-05-13T12:29:51.8846272Z ##[endgroup]
2022-05-13T12:29:52.1749516Z Syncing repository: ${{ORG}}/${{REPO}}
2022-05-13T12:29:52.1752466Z ##[group]Getting Git version info
2022-05-13T12:29:52.1753626Z Working directory is '/home/runner/work/${{REPOP}}/$${{REPO}}'
2022-05-13T12:29:52.1755038Z [command]/usr/bin/git version
2022-05-13T12:29:52.1861256Z git version 2.36.1
2022-05-13T12:29:52.1878853Z ##[endgroup]
2022-05-13T12:29:52.1903146Z Temporarily overriding HOME='/home/runner/work/_temp/e7d67131-5032-4b90-9d43-1be92d0da22f' before making global git config changes
2022-05-13T12:29:52.1904212Z Adding repository directory to the temporary git global config as a safe directory
2022-05-13T12:29:52.1905168Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/clos/clos
2022-05-13T12:29:52.2025214Z Deleting the contents of '/home/runner/work/clos/clos'
2022-05-13T12:29:52.2032389Z ##[group]Initializing the repository
2022-05-13T12:29:52.2034327Z [command]/usr/bin/git init /home/runner/work/clos/clos
2022-05-13T12:29:52.2068945Z hint: Using 'master' as the name for the initial branch. This default branch name
2022-05-13T12:29:52.2069948Z hint: is subject to change. To configure the initial branch name to use in all
2022-05-13T12:29:52.2070858Z hint: of your new repositories, which will suppress this warning, call:
2022-05-13T12:29:52.2071244Z hint: 
2022-05-13T12:29:52.2071768Z hint: 	git config --global init.defaultBranch <name>
2022-05-13T12:29:52.2072139Z hint: 
2022-05-13T12:29:52.2072641Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2022-05-13T12:29:52.2073296Z hint: 'development'. The just-created branch can be renamed via this command:
2022-05-13T12:29:52.2073702Z hint: 
2022-05-13T12:29:52.2074147Z hint: 	git branch -m <name>
2022-05-13T12:29:52.2074754Z Initialized empty Git repository in /home/runner/work/${{REPO}}/${{REP{O}}/.git/
2022-05-13T12:29:52.2364383Z [command]/usr/bin/git remote add origin https://github.com/${{ORG}}/${{REPO}}
2022-05-13T12:29:52.2365241Z ##[endgroup]
2022-05-13T12:29:52.2365898Z ##[group]Disabling automatic garbage collection
2022-05-13T12:29:52.2412074Z [command]/usr/bin/git config --local gc.auto 0
2022-05-13T12:29:52.2442378Z ##[endgroup]
2022-05-13T12:29:52.2443072Z ##[group]Setting up auth
2022-05-13T12:29:52.2444634Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-05-13T12:29:52.2497570Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-05-13T12:29:52.3033100Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-05-13T12:29:52.3060596Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-05-13T12:29:52.3349273Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2022-05-13T12:29:52.3412427Z ##[endgroup]
2022-05-13T12:29:52.3413714Z ##[group]Fetching the repository
2022-05-13T12:29:52.3415568Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/develop*:refs/remotes/origin/develop* +refs/tags/develop*:refs/tags/develop*
2022-05-13T12:29:52.7627728Z remote: Enumerating objects: 96, done.        
2022-05-13T12:29:52.7632999Z remote: Counting objects:   1% (1/96)        
2022-05-13T12:29:52.7634048Z remote: Counting objects:   2% (2/96)        
2022-05-13T12:29:52.7634682Z remote: Counting objects:   3% (3/96)        
2022-05-13T12:29:52.7635567Z remote: Counting objects:   4% (4/96)        
2022-05-13T12:29:52.7636176Z remote: Counting objects:   5% (5/96)        
2022-05-13T12:29:52.7637010Z remote: Counting objects:   6% (6/96)        
2022-05-13T12:29:52.7637614Z remote: Counting objects:   7% (7/96)        
2022-05-13T12:29:52.7638477Z remote: Counting objects:   8% (8/96)        
2022-05-13T12:29:52.7639094Z remote: Counting objects:   9% (9/96)        
2022-05-13T12:29:52.7639962Z remote: Counting objects:  10% (10/96)        
2022-05-13T12:29:52.7640582Z remote: Counting objects:  11% (11/96)        
2022-05-13T12:29:52.7641457Z remote: Counting objects:  12% (12/96)        
2022-05-13T12:29:52.7642052Z remote: Counting objects:  13% (13/96)        
2022-05-13T12:29:52.7642902Z remote: Counting objects:  14% (14/96)        
2022-05-13T12:29:52.7643519Z remote: Counting objects:  15% (15/96)        
2022-05-13T12:29:52.7644365Z remote: Counting objects:  16% (16/96)        
2022-05-13T12:29:52.7645108Z remote: Counting objects:  17% (17/96)        
2022-05-13T12:29:52.7645959Z remote: Counting objects:  18% (18/96)        
2022-05-13T12:29:52.7646566Z remote: Counting objects:  19% (19/96)        
2022-05-13T12:29:52.7647422Z remote: Counting objects:  20% (20/96)        
2022-05-13T12:29:52.7648022Z remote: Counting objects:  21% (21/96)        
2022-05-13T12:29:52.7648871Z remote: Counting objects:  22% (22/96)        
2022-05-13T12:29:52.7649773Z remote: Counting objects:  23% (23/96)        
2022-05-13T12:29:52.7650635Z remote: Counting objects:  25% (24/96)        
2022-05-13T12:29:52.7651240Z remote: Counting objects:  26% (25/96)        
2022-05-13T12:29:52.7652080Z remote: Counting objects:  27% (26/96)        
2022-05-13T12:29:52.7652665Z remote: Counting objects:  28% (27/96)        
2022-05-13T12:29:52.7653524Z remote: Counting objects:  29% (28/96)        
2022-05-13T12:29:52.7654233Z remote: Counting objects:  30% (29/96)        
2022-05-13T12:29:52.7655082Z remote: Counting objects:  31% (30/96)        
2022-05-13T12:29:52.7655687Z remote: Counting objects:  32% (31/96)        
2022-05-13T12:29:52.7656543Z remote: Counting objects:  33% (32/96)        
2022-05-13T12:29:52.7657146Z remote: Counting objects:  34% (33/96)        
2022-05-13T12:29:52.7658305Z remote: Counting objects:  35% (34/96)        
2022-05-13T12:29:52.7658910Z remote: Counting objects:  36% (35/96)        
2022-05-13T12:29:52.7660081Z remote: Counting objects:  37% (36/96)        
2022-05-13T12:29:52.7660712Z remote: Counting objects:  38% (37/96)        
2022-05-13T12:29:52.7662102Z remote: Counting objects:  39% (38/96)        
2022-05-13T12:29:52.7663766Z remote: Counting objects:  40% (39/96)        
2022-05-13T12:29:52.7664374Z remote: Counting objects:  41% (40/96)        
2022-05-13T12:29:52.7665062Z remote: Counting objects:  42% (41/96)        
2022-05-13T12:29:52.7665938Z remote: Counting objects:  43% (42/96)        
2022-05-13T12:29:52.7666524Z remote: Counting objects:  44% (43/96)        
2022-05-13T12:29:52.7667031Z remote: Counting objects:  45% (44/96)        
2022-05-13T12:29:52.7667532Z remote: Counting objects:  46% (45/96)        
2022-05-13T12:29:52.7668032Z remote: Counting objects:  47% (46/96)        
2022-05-13T12:29:52.7668525Z remote: Counting objects:  48% (47/96)        
2022-05-13T12:29:52.7669247Z remote: Counting objects:  50% (48/96)        
2022-05-13T12:29:52.7669772Z remote: Counting objects:  51% (49/96)        
2022-05-13T12:29:52.7670323Z remote: Counting objects:  52% (50/96)        
2022-05-13T12:29:52.7670826Z remote: Counting objects:  53% (51/96)        
2022-05-13T12:29:52.7671327Z remote: Counting objects:  54% (52/96)        
2022-05-13T12:29:52.7671820Z remote: Counting objects:  55% (53/96)        
2022-05-13T12:29:52.7672313Z remote: Counting objects:  56% (54/96)        
2022-05-13T12:29:52.7672809Z remote: Counting objects:  57% (55/96)        
2022-05-13T12:29:52.7673309Z remote: Counting objects:  58% (56/96)        
2022-05-13T12:29:52.7673785Z remote: Counting objects:  59% (57/96)        
2022-05-13T12:29:52.7674470Z remote: Counting objects:  60% (58/96)        
2022-05-13T12:29:52.7674970Z remote: Counting objects:  61% (59/96)        
2022-05-13T12:29:52.7675461Z remote: Counting objects:  62% (60/96)        
2022-05-13T12:29:52.7675964Z remote: Counting objects:  63% (61/96)        
2022-05-13T12:29:52.7676450Z remote: Counting objects:  64% (62/96)        
2022-05-13T12:29:52.7676945Z remote: Counting objects:  65% (63/96)        
2022-05-13T12:29:52.7677438Z remote: Counting objects:  66% (64/96)        
2022-05-13T12:29:52.7678158Z remote: Counting objects:  67% (65/96)        
2022-05-13T12:29:52.7678667Z remote: Counting objects:  68% (66/96)        
2022-05-13T12:29:52.7679165Z remote: Counting objects:  69% (67/96)        
2022-05-13T12:29:52.7679661Z remote: Counting objects:  70% (68/96)        
2022-05-13T12:29:52.7680152Z remote: Counting objects:  71% (69/96)        
2022-05-13T12:29:52.7680640Z remote: Counting objects:  72% (70/96)        
2022-05-13T12:29:52.7681134Z remote: Counting objects:  73% (71/96)        
2022-05-13T12:29:52.7681612Z remote: Counting objects:  75% (72/96)        
2022-05-13T12:29:52.7682102Z remote: Counting objects:  76% (73/96)        
2022-05-13T12:29:52.7682795Z remote: Counting objects:  77% (74/96)        
2022-05-13T12:29:52.7683527Z remote: Counting objects:  78% (75/96)        
2022-05-13T12:29:52.7684033Z remote: Counting objects:  79% (76/96)        
2022-05-13T12:29:52.7684705Z remote: Counting objects:  80% (77/96)        
2022-05-13T12:29:52.7685205Z remote: Counting objects:  81% (78/96)        
2022-05-13T12:29:52.7686655Z remote: Counting objects:  82% (79/96)        
2022-05-13T12:29:52.7687051Z remote: Counting objects:  83% (80/96)        
2022-05-13T12:29:52.7687440Z remote: Counting objects:  84% (81/96)        
2022-05-13T12:29:52.7687827Z remote: Counting objects:  85% (82/96)        
2022-05-13T12:29:52.7688401Z remote: Counting objects:  86% (83/96)        
2022-05-13T12:29:52.7688917Z remote: Counting objects:  87% (84/96)        
2022-05-13T12:29:52.7689305Z remote: Counting objects:  88% (85/96)        
2022-05-13T12:29:52.7689681Z remote: Counting objects:  89% (86/96)        
2022-05-13T12:29:52.7690067Z remote: Counting objects:  90% (87/96)        
2022-05-13T12:29:52.7690460Z remote: Counting objects:  91% (88/96)        
2022-05-13T12:29:52.7690863Z remote: Counting objects:  92% (89/96)        
2022-05-13T12:29:52.7691251Z remote: Counting objects:  93% (90/96)        
2022-05-13T12:29:52.7691635Z remote: Counting objects:  94% (91/96)        
2022-05-13T12:29:52.7692028Z remote: Counting objects:  95% (92/96)        
2022-05-13T12:29:52.7692422Z remote: Counting objects:  96% (93/96)        
2022-05-13T12:29:52.7692820Z remote: Counting objects:  97% (94/96)        
2022-05-13T12:29:52.7693208Z remote: Counting objects:  98% (95/96)        
2022-05-13T12:29:52.7693592Z remote: Counting objects: 100% (96/96)        
2022-05-13T12:29:52.7694123Z remote: Counting objects: 100% (96/96), done.        
2022-05-13T12:29:52.7694721Z remote: Compressing objects:   1% (1/82)        
2022-05-13T12:29:52.7695154Z remote: Compressing objects:   2% (2/82)        
2022-05-13T12:29:52.7695570Z remote: Compressing objects:   3% (3/82)        
2022-05-13T12:29:52.7695994Z remote: Compressing objects:   4% (4/82)        
2022-05-13T12:29:52.7696708Z remote: Compressing objects:   6% (5/82)        
2022-05-13T12:29:52.7697144Z remote: Compressing objects:   7% (6/82)        
2022-05-13T12:29:52.7697551Z remote: Compressing objects:   8% (7/82)        
2022-05-13T12:29:52.7697960Z remote: Compressing objects:   9% (8/82)        
2022-05-13T12:29:52.7698374Z remote: Compressing objects:  10% (9/82)        
2022-05-13T12:29:52.7698798Z remote: Compressing objects:  12% (10/82)        
2022-05-13T12:29:52.7704741Z remote: Compressing objects:  13% (11/82)        
2022-05-13T12:29:52.7705387Z remote: Compressing objects:  14% (12/82)        
2022-05-13T12:29:52.7708287Z remote: Compressing objects:  15% (13/82)        
2022-05-13T12:29:52.7708948Z remote: Compressing objects:  17% (14/82)        
2022-05-13T12:29:52.7711839Z remote: Compressing objects:  18% (15/82)        
2022-05-13T12:29:52.7713305Z remote: Compressing objects:  19% (16/82)        
2022-05-13T12:29:52.7713936Z remote: Compressing objects:  20% (17/82)        
2022-05-13T12:29:52.7715383Z remote: Compressing objects:  21% (18/82)        
2022-05-13T12:29:52.7715941Z remote: Compressing objects:  23% (19/82)        
2022-05-13T12:29:52.7717121Z remote: Compressing objects:  24% (20/82)        
2022-05-13T12:29:52.7717514Z remote: Compressing objects:  25% (21/82)        
2022-05-13T12:29:52.7717898Z remote: Compressing objects:  26% (22/82)        
2022-05-13T12:29:52.7718827Z remote: Compressing objects:  28% (23/82)        
2022-05-13T12:29:52.7719215Z remote: Compressing objects:  29% (24/82)        
2022-05-13T12:29:52.7719701Z remote: Compressing objects:  30% (25/82)        
2022-05-13T12:29:52.7722561Z remote: Compressing objects:  31% (26/82)        
2022-05-13T12:29:52.7722978Z remote: Compressing objects:  32% (27/82)        
2022-05-13T12:29:52.7723357Z remote: Compressing objects:  34% (28/82)        
2022-05-13T12:29:52.7723944Z remote: Compressing objects:  35% (29/82)        
2022-05-13T12:29:52.7725495Z remote: Compressing objects:  36% (30/82)        
2022-05-13T12:29:52.7729729Z remote: Compressing objects:  37% (31/82)        
2022-05-13T12:29:52.7730312Z remote: Compressing objects:  39% (32/82)        
2022-05-13T12:29:52.7731029Z remote: Compressing objects:  40% (33/82)        
2022-05-13T12:29:52.7731727Z remote: Compressing objects:  41% (34/82)        
2022-05-13T12:29:52.7732215Z remote: Compressing objects:  42% (35/82)        
2022-05-13T12:29:52.7738039Z remote: Compressing objects:  43% (36/82)        
2022-05-13T12:29:52.7738715Z remote: Compressing objects:  45% (37/82)        
2022-05-13T12:29:52.7798714Z remote: Compressing objects:  46% (38/82)        
2022-05-13T12:29:52.7799433Z remote: Compressing objects:  47% (39/82)        
2022-05-13T12:29:52.7801215Z remote: Compressing objects:  48% (40/82)        
2022-05-13T12:29:52.7801631Z remote: Compressing objects:  50% (41/82)        
2022-05-13T12:29:52.7802019Z remote: Compressing objects:  51% (42/82)        
2022-05-13T12:29:52.7802403Z remote: Compressing objects:  52% (43/82)        
2022-05-13T12:29:52.7802805Z remote: Compressing objects:  53% (44/82)        
2022-05-13T12:29:52.7803177Z remote: Compressing objects:  54% (45/82)        
2022-05-13T12:29:52.7803565Z remote: Compressing objects:  56% (46/82)        
2022-05-13T12:29:52.7803945Z remote: Compressing objects:  57% (47/82)        
2022-05-13T12:29:52.7804322Z remote: Compressing objects:  58% (48/82)        
2022-05-13T12:29:52.7804699Z remote: Compressing objects:  59% (49/82)        
2022-05-13T12:29:52.7807398Z remote: Compressing objects:  60% (50/82)        
2022-05-13T12:29:52.7807847Z remote: Compressing objects:  62% (51/82)        
2022-05-13T12:29:52.7808226Z remote: Compressing objects:  63% (52/82)        
2022-05-13T12:29:52.7808604Z remote: Compressing objects:  64% (53/82)        
2022-05-13T12:29:52.7808981Z remote: Compressing objects:  65% (54/82)        
2022-05-13T12:29:52.7809362Z remote: Compressing objects:  67% (55/82)        
2022-05-13T12:29:52.7809722Z remote: Compressing objects:  68% (56/82)        
2022-05-13T12:29:52.7811929Z remote: Compressing objects:  69% (57/82)        
2022-05-13T12:29:52.7812357Z remote: Compressing objects:  70% (58/82)        
2022-05-13T12:29:52.7812743Z remote: Compressing objects:  71% (59/82)        
2022-05-13T12:29:52.7813128Z remote: Compressing objects:  73% (60/82)        
2022-05-13T12:29:52.7813507Z remote: Compressing objects:  74% (61/82)        
2022-05-13T12:29:52.7813870Z remote: Compressing objects:  75% (62/82)        
2022-05-13T12:29:52.7814245Z remote: Compressing objects:  76% (63/82)        
2022-05-13T12:29:52.7814619Z remote: Compressing objects:  78% (64/82)        
2022-05-13T12:29:52.7814993Z remote: Compressing objects:  79% (65/82)        
2022-05-13T12:29:52.7815367Z remote: Compressing objects:  80% (66/82)        
2022-05-13T12:29:52.7815747Z remote: Compressing objects:  81% (67/82)        
2022-05-13T12:29:52.7816109Z remote: Compressing objects:  82% (68/82)        
2022-05-13T12:29:52.7816486Z remote: Compressing objects:  84% (69/82)        
2022-05-13T12:29:52.7816866Z remote: Compressing objects:  85% (70/82)        
2022-05-13T12:29:52.7817242Z remote: Compressing objects:  86% (71/82)        
2022-05-13T12:29:52.7817621Z remote: Compressing objects:  87% (72/82)        
2022-05-13T12:29:52.7817992Z remote: Compressing objects:  89% (73/82)        
2022-05-13T12:29:52.7818352Z remote: Compressing objects:  90% (74/82)        
2022-05-13T12:29:52.7818726Z remote: Compressing objects:  91% (75/82)        
2022-05-13T12:29:52.7819100Z remote: Compressing objects:  92% (76/82)        
2022-05-13T12:29:52.7819906Z remote: Compressing objects:  93% (77/82)        
2022-05-13T12:29:52.7821386Z remote: Compressing objects:  95% (78/82)        
2022-05-13T12:29:52.7822094Z remote: Compressing objects:  96% (79/82)        
2022-05-13T12:29:52.7823151Z remote: Compressing objects:  97% (80/82)        
2022-05-13T12:29:52.7823752Z remote: Compressing objects:  98% (81/82)        
2022-05-13T12:29:52.7824754Z remote: Compressing objects: 100% (82/82)        
2022-05-13T12:29:52.7825380Z remote: Compressing objects: 100% (82/82), done.        
2022-05-13T12:29:52.8286228Z remote: Total 96 (delta 18), reused 49 (delta 9), pack-reused 0        
2022-05-13T12:29:52.8556918Z From https://github.com/${{ORG}}/${{REPO}}
2022-05-13T12:29:52.8557853Z  * [new branch]      develop    -> origin/develop
2022-05-13T12:29:52.8573620Z ##[endgroup]
2022-05-13T12:29:52.8574239Z ##[group]Determining the checkout info
2022-05-13T12:29:52.8580786Z [command]/usr/bin/git branch --list --remote origin/develop
2022-05-13T12:29:52.8615910Z   origin/develop
2022-05-13T12:29:52.8622263Z ##[endgroup]
2022-05-13T12:29:52.8623134Z ##[group]Checking out the ref
2022-05-13T12:29:52.8628643Z [command]/usr/bin/git checkout --progress --force -B develop refs/remotes/origin/develop
2022-05-13T12:29:52.8834051Z Switched to a new branch 'develop'
2022-05-13T12:29:52.8835140Z branch 'develop' set up to track 'origin/develop'.
2022-05-13T12:29:52.8842753Z ##[endgroup]
2022-05-13T12:29:52.8900151Z [command]/usr/bin/git log -1 --format='%H'
2022-05-13T12:29:52.8935983Z '9dbaa62ebc38735bf7a794c606c88fa654edc2de'
2022-05-13T12:29:52.9269889Z ##[group]Run google-github-actions/auth@v0
2022-05-13T12:29:52.9270268Z with:
2022-05-13T12:29:52.9270552Z   token_format: access_token
2022-05-13T12:29:52.9271119Z   workload_identity_provider: projects/395146694571/locations/global/workloadIdentityPools/${{POOL_ID}}/providers/github-action
2022-05-13T12:29:52.9271843Z   service_account: gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com
2022-05-13T12:29:52.9272353Z   access_token_subject: sa@example.com
2022-05-13T12:29:52.9272718Z   create_credentials_file: true
2022-05-13T12:29:52.9273078Z   export_environment_variables: true
2022-05-13T12:29:52.9273432Z   cleanup_credentials: true
2022-05-13T12:29:52.9273764Z   access_token_lifetime: 3600s
2022-05-13T12:29:52.9274205Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-05-13T12:29:52.9274652Z   id_token_include_email: false
2022-05-13T12:29:52.9274939Z env:
2022-05-13T12:29:52.9275205Z   MIN_LOG_SEVERITY: DEBUG
2022-05-13T12:29:52.9275531Z   TZ: Asia/Tokyo
2022-05-13T12:29:52.9275785Z   ENV: dev
2022-05-13T12:29:52.9276061Z   GITHUB_BRANCH: develop
2022-05-13T12:29:52.9276366Z   AWS_ACCOUNT_ID: xxxxxx
2022-05-13T12:29:52.9276919Z   AWS_ASSUME_ROLE: xxxxxx
2022-05-13T12:29:52.9277449Z   GO_VERSION: 1.17.2
2022-05-13T12:29:52.9277717Z ##[endgroup]
2022-05-13T12:29:53.2423822Z Created credentials file at "/home/runner/work/clos/clos/gha-creds-029129737f17a4ef.json"
2022-05-13T12:29:53.2427997Z 
2022-05-13T12:29:53.2463556Z 
2022-05-13T12:29:53.2481857Z An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour.
2022-05-13T12:29:53.3970417Z ##[error]google-github-actions/auth failed with: failed to sign JWT using gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}
2022-05-13T12:29:53.4096962Z Post job cleanup.
2022-05-13T12:29:53.4859073Z Removed exported credentials at "/home/runner/work/clos/clos/gha-creds-029129737f17a4ef.json".
2022-05-13T12:29:53.4984195Z Post job cleanup.
2022-05-13T12:29:53.6485352Z [command]/usr/bin/git version
2022-05-13T12:29:53.6547661Z git version 2.36.1
2022-05-13T12:29:53.6592145Z Temporarily overriding HOME='/home/runner/work/_temp/5d04b7b9-fb2d-44d3-ac27-e7e565b9c97f' before making global git config changes
2022-05-13T12:29:53.6593221Z Adding repository directory to the temporary git global config as a safe directory
2022-05-13T12:29:53.6598970Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/${{REPO}}/${{REPO}}
2022-05-13T12:29:53.6646503Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-05-13T12:29:53.6687097Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-05-13T12:29:53.7008066Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-05-13T12:29:53.7038551Z http.https://github.com/.extraheader
2022-05-13T12:29:53.7050943Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2022-05-13T12:29:53.7092029Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-05-13T12:29:53.7609907Z Cleaning up orphan processes

Additional information

No response

[sethvargo]

Hi @ken5scal

Can you try setting access_token_lifetime to 1800s? I'm wondering if there's some clock skew...

[fujikky]

I had the same problem and tried setting access_token_lifetime to 1800s but it didn't solve.

[ken5scal]

@sethvargo @fujikky
Actually, it worked!
Just to note, I was required to set one or more Google Workspace related API scopes to access_token_scopes .　

- id: google-auth-3
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          token_format: 'access_token'
          workload_identity_provider: 'projects/{PROJECT_ID}/locations/global/workloadIdentityPools/${ID_POOL}/providers/${PROVIDER}'
          service_account:  'sa@example.com'
          access_token_scopes: 'https://www.googleapis.com/auth/admin.reports.audit.readonly'
          access_token_subject: 'gws@gws.com'
          access_token_lifetime: '1800s'

[ken5scal]

I have retrieved following credential as result of google-github-actions/auth. How do we use this to access Google Workspace API in our code?

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/${PROJECT_ID}/locations/global/workloadIdentityPools/${IDENTITY_POOL_ID}/providers/${PROVIDER_ID}",
  "subject_token_type": "urn:ietf:params:oauth:token type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@${PROJECT_ID}.iam.gserviceaccount.com:generateAccessToken",
  "credential_source": {
    "url": "https://pipelines.actions.githubusercontent.com/SOME_RANDOM_STRING/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/SOME_RANDOM_STRING/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%${PROJECT_ID}%2Flocations%2Fglobal%2FworkloadIdentityPools%2F${IDENTITY_POOL_ID}%2Fproviders%2F${PROVIDER_ID}",
    "headers": {
      "Authorization": "***"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "value"
    }
  }
}

Using this value just like the way we do in service account key, the API returned an authorization error with following messages (depends on how you implement):

• googleapi: Error 401: Access denied. You are not authorized to read activity records., authError
• google: could not parse JSON key: google: read JWT from JSON credentials: 'type' field is "external_account" (expected "service_account")

[fujikky]

@ken5scal
Thanks for the info!
However, adding access_token_scopes did not solve the problem.

Here is the YAML of the Actions I tried.

- id: auth
  uses: google-github-actions/auth@v0
  with:
    workload_identity_provider: projects/00000000000/locations/global/workloadIdentityPools/github-actions/providers/foo-provider
    service_account: foo@bar-project-id.iam.gserviceaccount.com
    token_format: access_token
    access_token_scopes: https://www.googleapis.com/auth/spreadsheets
    access_token_subject: user@example.com
    access_token_lifetime: 1800s

I got the same error message.

An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour.
Error: google-github-actions/auth failed with: failed to sign JWT using foo@bar-project-id.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

[sethvargo]

@ken5scal what API(s) are you trying to call after authenticating? The action.yml in the original issue stops at the auth step. Note all technologies support WIF (for example, bq and gsutil do not support WIF).

@fujikky make sure you've granted roles/iam.serviceAccountTokenCreator and roles/iam.workloadIdentityUser to the external identity ("principalSet").

[ken5scal]

@sethvargo
Thanks. I'm trying to use Admin API to list activities for Google Workspace applications such as the Admin console application or the Google Drive application.
More specifically I am using Admin Go Package.
https://pkg.go.dev/google.golang.org/api/admin/reports/v1#ActivitiesService.List

I believe the value in scope (
https://www.googleapis.com/auth/admin.reports.audit.readonly ) is correct since non-keyless domain-wide delegation is working.

[fujikky]

@sethvargo
Thanks for the reply!
As you said, my identity's principalSet was missing a policy.
So I attached the policy with the following command.
But I'm still getting a PERMISSION_DENIED error.

gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
  --project="${PROJECT_ID}" \   
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"

gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"

I have confirmed that the policy is attached in the Cloud Console.
Are there any other possible factors?

[sethvargo]

And the error message is still "failed to sign JWT using ..."? Do you have debug logs you could share?

[ken5scal]

failed to sign JWT using ...

That's right. Let me share the debug log later

[fujikky]

@sethvargo

Thanks for the help! My current error message is not about JWT.
Here is the debug log.

2022-05-18T02:48:54.1079318Z ##[debug]Evaluating condition for step: 'Run google-github-actions/auth@v0'
2022-05-18T02:48:54.1081779Z ##[debug]Evaluating: success()
2022-05-18T02:48:54.1082119Z ##[debug]Evaluating success:
2022-05-18T02:48:54.1082637Z ##[debug]=> true
2022-05-18T02:48:54.1083009Z ##[debug]Result: true
2022-05-18T02:48:54.1083741Z ##[debug]Starting: Run google-github-actions/auth@v0
2022-05-18T02:48:54.1107122Z ##[debug]Register post job cleanup for action: google-github-actions/auth@v0
2022-05-18T02:48:54.1116376Z ##[debug]Loading inputs
2022-05-18T02:48:54.1156861Z ##[debug]Loading env
2022-05-18T02:48:54.1161340Z ##[group]Run google-github-actions/auth@v0
2022-05-18T02:48:54.1161582Z with:
2022-05-18T02:48:54.1161931Z   workload_identity_provider: projects/42297918024/locations/global/workloadIdentityPools/github-actions/providers/gha-provider
2022-05-18T02:48:54.1162401Z   service_account: github-actions@{PROJECT_ID}.iam.gserviceaccount.com
2022-05-18T02:48:54.1162711Z   token_format: access_token
2022-05-18T02:48:54.1163062Z   access_token_scopes: https://www.googleapis.com/auth/spreadsheets
2022-05-18T02:48:54.1163384Z   access_token_subject: sa@timetreeapp.com
2022-05-18T02:48:54.1163637Z   access_token_lifetime: 1800s
2022-05-18T02:48:54.1163869Z   create_credentials_file: true
2022-05-18T02:48:54.1164104Z   export_environment_variables: true
2022-05-18T02:48:54.1164434Z   cleanup_credentials: true
2022-05-18T02:48:54.1164655Z   id_token_include_email: false
2022-05-18T02:48:54.1164857Z ##[endgroup]
2022-05-18T02:48:54.1812723Z ##[debug]Using workload identity provider "projects/42297918024/locations/global/workloadIdentityPools/github-actions/providers/gha-provider"
2022-05-18T02:48:54.1817176Z ##[debug]ID token url is https://pipelines.actions.githubusercontent.com/ThSaUVFeAIsX9U3ghIS2qvmytZ8tsU4CoRIlqN5OLLcIXO5qGG/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/ec8a42c1-46ad-472d-9ad2-c6be602fc6f9/jobs/4a0cec82-aaa7-5c07-9c1e-30cc88945a51/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F42297918024%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fgithub-actions%2Fproviders%2Fgha-provider
2022-05-18T02:48:54.3937599Z ::add-mask::***
2022-05-18T02:48:54.3944876Z ##[debug]Creating credentials file
2022-05-18T02:48:54.3984836Z Created credentials file at "/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json"
2022-05-18T02:48:54.3988901Z 
2022-05-18T02:48:54.3993326Z ::set-output name=credentials_file_path::/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json
2022-05-18T02:48:54.4013089Z ##[debug]steps.auth.outputs.credentials_file_path='/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json'
2022-05-18T02:48:54.4016898Z 
2022-05-18T02:48:54.4017544Z ::set-output name=project_id::{PROJECT_ID}
2022-05-18T02:48:54.4018029Z ##[debug]steps.auth.outputs.project_id='{PROJECT_ID}'
2022-05-18T02:48:54.4018509Z ##[debug]Creating access token
2022-05-18T02:48:54.7174350Z ##[error]google-github-actions/auth failed with: failed to generate Google Cloud access token for github-actions@{PROJECT_ID}.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}
2022-05-18T02:48:54.7211084Z ##[debug]Node Action run completed with exit code 1
2022-05-18T02:48:54.7222553Z ##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json'
2022-05-18T02:48:54.7223354Z ##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json'
2022-05-18T02:48:54.7223960Z ##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/{REPO}/{REPO}/gha-creds-70989b20f5b188ff.json'
2022-05-18T02:48:54.7224415Z ##[debug]CLOUDSDK_CORE_PROJECT='{PROJECT_ID}'
2022-05-18T02:48:54.7224994Z ##[debug]CLOUDSDK_PROJECT='{PROJECT_ID}'
2022-05-18T02:48:54.7225295Z ##[debug]GCLOUD_PROJECT='{PROJECT_ID}'
2022-05-18T02:48:54.7225590Z ##[debug]GCP_PROJECT='{PROJECT_ID}'
2022-05-18T02:48:54.7225896Z ##[debug]GOOGLE_CLOUD_PROJECT='{PROJECT_ID}'
2022-05-18T02:48:54.7231175Z ##[debug]Finishing: Run google-github-actions/auth@v0

[fujikky]

@sethvargo
It finally worked! 🎉

First, I founded that the attribute.repository was missing in the provider's attributes! I redid the README steps and set the correct attributes. Sorry for my mistake.

Next, I found a bug in the auth action.
The code to suppress the warning, fixed 2 days ago, does not seem to pass through the buildDomainWideDelegationJWT if the access_token_lifetime exceeds 3600 seconds.

auth/src/main.ts

Line 213 in 714f1fe

if (accessTokenSubject && accessTokenLifetime > 3600) {

It should be fix like this:

diff --git a/src/main.ts b/src/main.ts
index 5f82809..aba9498 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -210,13 +210,14 @@ async function run(): Promise<void> {
         // perform Domain-Wide Delegation. Otherwise, use the modern IAM
         // Credentials endpoints.
         let accessToken, expiration;
-        if (accessTokenSubject && accessTokenLifetime > 3600) {
-          logInfo(
-            `An access token subject was specified, triggering Domain-Wide ` +
-              `Delegation flow. This flow does not support specifying an ` +
-              `access token lifetime of greater than 1 hour.`,
-          );
-
+        if (accessTokenSubject) {
+          if (accessTokenLifetime > 3600) {
+            logInfo(
+              `An access token subject was specified, triggering Domain-Wide ` +
+                `Delegation flow. This flow does not support specifying an ` +
+                `access token lifetime of greater than 1 hour.`,
+            );
+          }
           const unsignedJWT = buildDomainWideDelegationJWT(
             serviceAccount,
             accessTokenSubject,

I changed to the previous version uses: google-github-actions/auth@v0.7.1 in my actions yaml, and the impersonated access token was worked successfully.

[ken5scal]

@sethvargo
I think we misunderstood each other.
What I was saying is that google-github-actions/auth@v0 does return a credential file Created credentials file at "/home/runner/work/xxx/xxx/gha-creds-e3360af22c9dc486.json" and store it under GOOGLE_APPLICATION_CREDENTIALS .

Now, I use a Golang App to fetch the audit log...and get an error.

Go Code

hoge, err := ioutil.ReadFile(os.Getenv("GOOGLE_APPLICATION_CREDENTIALS"))
if err != nil {
        panic(fmt.Sprintf("CredentialsFromJSONWithParams: %v", err))
}
cred, err := google.CredentialsFromJSONWithParams(ctx, hoge, google.CredentialsParams{. 
      Scopes: getScopes(),
})
client := oauth2.NewClient(ctx, cred.TokenSource)
reportsSrv, err := reports.NewService(ctx, option.WithHTTPClient(client))

activities, err := srv.Activities.List("all", applicationName).StartTime(startTime.Format(time.RFC3339)).EndTime(endTime.Format(time.RFC3339)).Do()

panic: failed to listing activities: googleapi: Error 401: Access denied. You are not authorized to read activity records., authError

[sethvargo]

@fujikky fixed in #178 and will be released as 0.7.3. Thanks for catching that, and I'm glad to see this is working for you now.

@ken5scal which client library is that, and which version are you using? In general, you should never need to parse GOOGLE_APPLICATION_CREDENTIALS, since all the official google SDKs automatically look for that environment variable and use it for authentication. reports.NewService(ctx) should "just work"

[ken5scal]

@sethvargo Thanks, I'm using https://pkg.go.dev/google.golang.org/api@v0.80.0 which is the latest and official one.
I actually changed my code not to parse GOOGLE_APPLICATION_CREDENTIALS, but still giving me googleapi: Error 401: Access denied. You are not authorized to read activity records., authError

[sethvargo]

That library doesn't support WIF yet: googleapis/google-api-go-client#750

[ken5scal]

Ohhh.... Thanks, I would watch the issue in there @sethvargo