Impersonation issues for Google Workspace

[tcvall86]

TL;DR

When trying to add access_token_subject I receive a 401 response for the auth action

google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using my-service-account@my-project.iam.gserviceaccount.com:

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
        "metadata": {
          "service": "iamcredentials.googleapis.com",
          "method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
        }
      }
    ]
  }
}

If I run this without subject like

- name: Get Google access token
        uses: 'google-github-actions/auth@v2.1.0'
        id: google_access_token
        with:
          project_id: my-project
          workload_identity_provider: workload_idp_string
          service_account: my-service-account@my_project.iam.gserviceaccount.com
          export_environment_variables: true
          token_format: "access_token"
          access_token_lifetime: 1800s
          access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly

The flow passes normally. However since I need to do impersonation I would need to add

access_token_subject: my-admin-user@domain.td

Which is when the error happens.

I tried to look into previous impersonation issues like

#234
#174
#63

But regardless I can't quite get it to work

I have set up the domain wide permissions inside of google workspace for the service account appid

I am not to used to GCP so it could be something obvious I am missing here. I am thankful for any suggestions!

Regards,
Thomas

Expected behavior

I am expecting impersonation to work so we can use this to access Google workspaces in our actions

Observed behavior

Call fails with

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
        "metadata": {
          "service": "iamcredentials.googleapis.com",
          "method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
        }
      }
    ]
  }
}

Action YAML

name: Test Google impersonation in seperate flow
run-name: "Access google from ${{ github.repository }}"

on:
  pull_request:
    branches:
      - master
      - main
    types:
      - opened
      - edited
      - synchronize
      - reopened
  workflow_dispatch:

jobs:
  google_workspace_test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      pull-requests: read

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Get Google access token
        uses: 'google-github-actions/auth@v2.1.0'
        id: google_access_token
        with:
          project_id: my-project
          workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
          service_account: my-service-account@my-project.iam.gserviceaccount.com
          export_environment_variables: true
          token_format: "access_token"
          access_token_lifetime: 1800s
          access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
          access_token_subject: my-admin@domain.tl

Log output

2024-01-31T13:26:51.8162091Z Requested labels: ubuntu-latest
2024-01-31T13:26:51.8162363Z Job defined at: org/repo/.github/workflows/test-access.yml@refs/pull/68/merge
2024-01-31T13:26:51.8162443Z Waiting for a runner to pick up this job...
2024-01-31T13:26:53.5052740Z Job is waiting for a hosted runner to come online.
2024-01-31T13:26:55.1607573Z Job is about to start running on the hosted runner: GitHub Actions 39 (hosted)
2024-01-31T13:26:58.0328507Z Current runner version: '2.312.0'
2024-01-31T13:26:58.0360073Z ##[group]Operating System
2024-01-31T13:26:58.0360862Z Ubuntu
2024-01-31T13:26:58.0361313Z 22.04.3
2024-01-31T13:26:58.0361909Z LTS
2024-01-31T13:26:58.0362309Z ##[endgroup]
2024-01-31T13:26:58.0362812Z ##[group]Runner Image
2024-01-31T13:26:58.0363503Z Image: ubuntu-22.04
2024-01-31T13:26:58.0363998Z Version: 20240126.1.0
2024-01-31T13:26:58.0365307Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240126.1/images/ubuntu/Ubuntu2204-Readme.md
2024-01-31T13:26:58.0367277Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240126.1
2024-01-31T13:26:58.0368368Z ##[endgroup]
2024-01-31T13:26:58.0368919Z ##[group]Runner Image Provisioner
2024-01-31T13:26:58.0369619Z 2.0.341.1
2024-01-31T13:26:58.0370031Z ##[endgroup]
2024-01-31T13:26:58.0371423Z ##[group]GITHUB_TOKEN Permissions
2024-01-31T13:26:58.0373597Z Contents: read
2024-01-31T13:26:58.0374160Z Metadata: read
2024-01-31T13:26:58.0375062Z PullRequests: read
2024-01-31T13:26:58.0375703Z ##[endgroup]
2024-01-31T13:26:58.0378460Z Secret source: Actions
2024-01-31T13:26:58.0379202Z Prepare workflow directory
2024-01-31T13:26:58.1147132Z Prepare all required actions
2024-01-31T13:26:58.1343158Z Getting action download info
2024-01-31T13:26:58.4649985Z Download action repository 'actions/checkout@v4' (SHA:b4ffde65f46336ab88eb53be808477a3936bae11)
2024-01-31T13:26:58.6146039Z Download action repository 'google-github-actions/auth@v2.1.0' (SHA:5a50e581162a13f4baa8916d01180d2acbc04363)
2024-01-31T13:26:58.9851765Z Complete job name: google_workspace_test
2024-01-31T13:26:59.0877631Z ##[group]Run actions/checkout@v4
2024-01-31T13:26:59.0878253Z with:
2024-01-31T13:26:59.0878683Z   repository: org/repo
2024-01-31T13:26:59.0879590Z   token: ***
2024-01-31T13:26:59.0879994Z   ssh-strict: true
2024-01-31T13:26:59.0880429Z   persist-credentials: true
2024-01-31T13:26:59.0880930Z   clean: true
2024-01-31T13:26:59.0881367Z   sparse-checkout-cone-mode: true
2024-01-31T13:26:59.0881940Z   fetch-depth: 1
2024-01-31T13:26:59.0882344Z   fetch-tags: false
2024-01-31T13:26:59.0882785Z   show-progress: true
2024-01-31T13:26:59.0883203Z   lfs: false
2024-01-31T13:26:59.0883579Z   submodules: false
2024-01-31T13:26:59.0884024Z   set-safe-directory: true
2024-01-31T13:26:59.0884490Z ##[endgroup]
2024-01-31T13:26:59.3696847Z Syncing repository: org/repo
2024-01-31T13:26:59.3699252Z ##[group]Getting Git version info
2024-01-31T13:26:59.3700431Z Working directory is '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3701937Z [command]/usr/bin/git version
2024-01-31T13:26:59.3844068Z git version 2.43.0
2024-01-31T13:26:59.3879355Z ##[endgroup]
2024-01-31T13:26:59.3916030Z Temporarily overriding HOME='/home/runner/work/_temp/8382423c-b1ac-434a-b4e5-9c4a9d9d0864' before making global git config changes
2024-01-31T13:26:59.3917954Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:26:59.3919832Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:26:59.3960242Z Deleting the contents of '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3983942Z ##[group]Initializing the repository
2024-01-31T13:26:59.3985319Z [command]/usr/bin/git init /home/runner/work/repo/repo
2024-01-31T13:26:59.4067177Z hint: Using 'master' as the name for the initial branch. This default branch name
2024-01-31T13:26:59.4072040Z hint: is subject to change. To configure the initial branch name to use in all
2024-01-31T13:26:59.4076086Z hint: of your new repositories, which will suppress this warning, call:
2024-01-31T13:26:59.4079279Z hint: 
2024-01-31T13:26:59.4082148Z hint: 	git config --global init.defaultBranch <name>
2024-01-31T13:26:59.4084945Z hint: 
2024-01-31T13:26:59.4087731Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2024-01-31T13:26:59.4091168Z hint: 'development'. The just-created branch can be renamed via this command:
2024-01-31T13:26:59.4095395Z hint: 
2024-01-31T13:26:59.4098113Z hint: 	git branch -m <name>
2024-01-31T13:26:59.4116963Z Initialized empty Git repository in /home/runner/work/repo/repo/.git/
2024-01-31T13:26:59.4135902Z [command]/usr/bin/git remote add origin https://github.com/org/repo
2024-01-31T13:26:59.4170797Z ##[endgroup]
2024-01-31T13:26:59.4172027Z ##[group]Disabling automatic garbage collection
2024-01-31T13:26:59.4178676Z [command]/usr/bin/git config --local gc.auto 0
2024-01-31T13:26:59.4213997Z ##[endgroup]
2024-01-31T13:26:59.4216207Z ##[group]Setting up auth
2024-01-31T13:26:59.4226372Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:26:59.4265889Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:26:59.4655060Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:26:59.4687634Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:26:59.4948980Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2024-01-31T13:26:59.5004069Z ##[endgroup]
2024-01-31T13:26:59.5006717Z ##[group]Fetching the repository
2024-01-31T13:26:59.5021393Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +e6e10b73c499ed8fa08b476e855a2a265fd80227:refs/remotes/pull/68/merge
2024-01-31T13:26:59.8307456Z From https://github.com/org/repo
2024-01-31T13:26:59.8313545Z  * [new ref]         e6e10b73c499ed8fa08b476e855a2a265fd80227 -> pull/68/merge
2024-01-31T13:26:59.8339535Z ##[endgroup]
2024-01-31T13:26:59.8340537Z ##[group]Determining the checkout info
2024-01-31T13:26:59.8341846Z ##[endgroup]
2024-01-31T13:26:59.8342719Z ##[group]Checking out the ref
2024-01-31T13:26:59.8345425Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/68/merge
2024-01-31T13:26:59.8453712Z Note: switching to 'refs/remotes/pull/68/merge'.
2024-01-31T13:26:59.8455100Z 
2024-01-31T13:26:59.8455778Z You are in 'detached HEAD' state. You can look around, make experimental
2024-01-31T13:26:59.8457656Z changes and commit them, and you can discard any commits you make in this
2024-01-31T13:26:59.8458918Z state without impacting any branches by switching back to a branch.
2024-01-31T13:26:59.8459672Z 
2024-01-31T13:26:59.8460238Z If you want to create a new branch to retain commits you create, you may
2024-01-31T13:26:59.8461479Z do so (now or later) by using -c with the switch command. Example:
2024-01-31T13:26:59.8462208Z 
2024-01-31T13:26:59.8462549Z   git switch -c <new-branch-name>
2024-01-31T13:26:59.8462961Z 
2024-01-31T13:26:59.8463260Z Or undo this operation with:
2024-01-31T13:26:59.8463690Z 
2024-01-31T13:26:59.8463959Z   git switch -
2024-01-31T13:26:59.8464190Z 
2024-01-31T13:26:59.8464788Z Turn off this advice by setting config variable advice.detachedHead to false
2024-01-31T13:26:59.8465630Z 
2024-01-31T13:26:59.8466629Z HEAD is now at e6e10b7 Merge aa7295f57fb0e819e8495e3b4cd86f79330add48 into 0154afaed0d9ba9573bc5a6f92d651b80c4086b5
2024-01-31T13:26:59.8479640Z ##[endgroup]
2024-01-31T13:26:59.8513518Z [command]/usr/bin/git log -1 --format='%H'
2024-01-31T13:26:59.8540702Z 'e6e10b73c499ed8fa08b476e855a2a265fd80227'
2024-01-31T13:26:59.9085486Z ##[group]Run google-github-actions/auth@v2.1.0
2024-01-31T13:26:59.9086279Z with:
2024-01-31T13:26:59.9086849Z   project_id: my-project
2024-01-31T13:26:59.9088421Z   workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
2024-01-31T13:26:59.9090475Z   service_account: my-service-account@my-project.iam.gserviceaccount.com
2024-01-31T13:26:59.9091782Z   export_environment_variables: true
2024-01-31T13:26:59.9092495Z   token_format: access_token
2024-01-31T13:26:59.9093104Z   access_token_lifetime: 1800s
2024-01-31T13:26:59.9094180Z   access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
2024-01-31T13:26:59.9095333Z   access_token_subject: my-admin@domain.tl
2024-01-31T13:26:59.9096124Z   create_credentials_file: true
2024-01-31T13:26:59.9096820Z   universe: googleapis.com
2024-01-31T13:26:59.9097382Z   cleanup_credentials: true
2024-01-31T13:26:59.9098096Z   retries: 3
2024-01-31T13:26:59.9098647Z   backoff: 250
2024-01-31T13:26:59.9099103Z   id_token_include_email: false
2024-01-31T13:26:59.9099706Z ##[endgroup]
2024-01-31T13:27:00.1728663Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-fa93714574e118a9.json"
2024-01-31T13:27:00.5957873Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-b12f97ebaaf28536.json"
2024-01-31T13:27:00.9863978Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-d1f1d356de50805e.json"
2024-01-31T13:27:01.6186372Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json"
2024-01-31T13:27:01.7222266Z ##[error]google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using my-service-account@my-project.iam.gserviceaccount.com: {
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
        "metadata": {
          "service": "iamcredentials.googleapis.com",
          "method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
        }
      }
    ]
  }
}
2024-01-31T13:27:01.7641210Z Post job cleanup.
2024-01-31T13:27:01.8675924Z Removed exported credentials at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json".
2024-01-31T13:27:01.8859889Z Post job cleanup.
2024-01-31T13:27:01.9808231Z [command]/usr/bin/git version
2024-01-31T13:27:01.9911155Z git version 2.43.0
2024-01-31T13:27:02.0078883Z Temporarily overriding HOME='/home/runner/work/_temp/5a64591e-cac1-4cdf-b9e1-fc3fb44e4ac9' before making global git config changes
2024-01-31T13:27:02.0080665Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:27:02.0084921Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:27:02.0192546Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:27:02.0228504Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:27:02.0507626Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:27:02.0537815Z http.https://github.com/.extraheader
2024-01-31T13:27:02.0551444Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2024-01-31T13:27:02.0587561Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:27:02.1232796Z Cleaning up orphan processes

Additional information

No response

[github-actions]

Hi there @tcvall86 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Can you try auth@v1.3.0 and report whether that works? We changed the way credentials were generated in 2.0, and I'm wondering if it works in 1.0.

[damir-dezeljin]

I used the auth@v1, which was working until recently, but I found yesterday it broke. So, today I spent a day trying to figure out what's wrong, I also switched to auth@v2 and before that set up Node 20 with actions/setup-node@v4, but I couldn't get it working.
Ultimately I found out the token_format: access_token breaks the auth action.

Following your suggestion, I switched to auth@v1.3.0 and I can confirm that it works. So, as you guessed, probably the changes you introduced broke both v1 and v2.

Can't wait to get it fixed :)

[sethvargo]

Hi @damir-dezeljin can you try pinning to auth@sethvargo/dwd and see if that works for you? If not, please provide debug logs.

[damir-dezeljin]

@sethvargo , may I ask you to point me to the auth@sethvargo/dwd sources, or even better, the code changes compared to the original auth action code. Just wanted to check what I'm going to execute before trying it out.

[tcvall86]

@sethvargo

I can also confirm @v1.3.0 works
I tried auth@sethvargo/dwd but that produces the same error as @v2 versions

2024-02-01T06:59:52.1177603Z '65de5f9647a11ab92aa9128d0f0300d4951fb5ab'
2024-02-01T06:59:52.1546409Z ##[group]Run google-github-actions/auth@sethvargo/dwd
2024-02-01T06:59:52.1547037Z with:
2024-02-01T06:59:52.1547349Z   project_id: my-project
2024-02-01T06:59:52.1548730Z   workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-pool/providers/my-provider
2024-02-01T06:59:52.1550515Z   service_account: sa@my-project.iam.gserviceaccount.com
2024-02-01T06:59:52.1551289Z   export_environment_variables: true
2024-02-01T06:59:52.1551768Z   token_format: access_token
2024-02-01T06:59:52.1552178Z   access_token_lifetime: 1800s
2024-02-01T06:59:52.1552932Z   access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
2024-02-01T06:59:52.1553822Z   access_token_subject: tmy-admin@domain.td
2024-02-01T06:59:52.1554373Z   create_credentials_file: true
2024-02-01T06:59:52.1554825Z   universe: googleapis.com
2024-02-01T06:59:52.1555239Z   cleanup_credentials: true
2024-02-01T06:59:52.1555676Z   retries: 3
2024-02-01T06:59:52.1555983Z   backoff: 250
2024-02-01T06:59:52.1556325Z   id_token_include_email: false
2024-02-01T06:59:52.1556740Z ##[endgroup]
2024-02-01T06:59:52.8449285Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-ee397a4481665e3a.json"
2024-02-01T06:59:53.1381954Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-e6757e024686651a.json"
2024-02-01T06:59:53.7739223Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-5622be51b533b96a.json"
2024-02-01T06:59:54.5741153Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-9646df0bd1b5144b.json"
2024-02-01T06:59:54.8599614Z ##[error]google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using sa@my-project.iam.gserviceaccount.com: {
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
        "metadata": {
          "method": "google.iam.credentials.v1.IAMCredentials.SignJwt",
          "service": "iamcredentials.googleapis.com"
        }
      }
    ]
  }
}

[sethvargo]

Hi @damir-dezeljin - it's linked right above in the GitHub UI (#388).

Hi @tcvall86 - can you provide the debug logs?

[tcvall86]

@sethvargo

I have attached the debug logs here
debug.log

This part looks a bit weird (Promise ])

##[debug]WorkloadIdentityFederationClient.signJWT: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@my-project.iam.gserviceaccount.com:signJwt",
##[debug]  "headers": {
##[debug]    "Authorization": "*** Promise]"
##[debug]  },

[sethvargo]

Hi @tcvall86 - Did you sanitize the logs? I'm seeing the project ID as "project-id", the pool as "my-pool", and the provider as "my-provider". WIF requires project number, not project id, but none of those values seem correct.

WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/my-pool/providers/my-provider

I see that we successfully get a federated token and an access token, so I think you scrubbed the logs. Nonetheless, I was able to see what's going on. Can you please try again with auth@sethvargo/dwd? I needed to use the generated access token to build the DWD token, instead of the federated token.

[tcvall86]

@sethvargo

Yes I did sanitize the logs
It seems like the same issue still gets the same error and I get this in the debug output (unsanitized except for my admin user)
It seems that somewhere for some reason the Promise] is not removed when constructing the signJwt request

##[debug]WorkloadIdentityFederationClient.signJWT: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/eed-infra-github-oidc@eed-infra.iam.gserviceaccount.com:signJwt",
##[debug]  "headers": {
##[debug]    "Authorization": "*** Promise]"
##[debug]  },
##[debug]  "body": {
##[debug]    "payload": "{\"iss\":\"eed-infra-github-oidc@eed-infra.iam.gserviceaccount.com\",\"aud\":\"[https://oauth2.googleapis.com/token\](https://oauth2.googleapis.com/token/)",\"iat\":1706891943,\"exp\":1706893743,\"sub\":\"my-admin@mydomain.com\",\"scope\":\"[https://www.googleapis.com/auth/admin.directory.user.readonly\](https://www.googleapis.com/auth/admin.directory.user.readonly/)"}"
##[debug]  }

[sethvargo]

Can you send the full debug logs again please with the latest version of auth@sethvargo/dwd please?

[tcvall86]

Hello @sethvargo

here are the new logs,

I have sanitized some of the outputs like project id, pool, provider, my admin, repo etc

debug.log

[sethvargo]

Hi @tcvall86 - sorry, but those look like older logs. Can you try again with a new commit? Sometimes GitHub caches the resolved hash if you just click "re-run". There should be new log output that will help debug this.

[tcvall86]

Hi @sethvargo

Ok so the action does not fail now since your last commit but now I get

##[debug]IAMCredentialsClient.generateDomainWideDelegationAccessToken: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://oauth2.googleapis.com/token",
##[debug]  "headers": {
##[debug]    "Accept": "application/json",
##[debug]    "Content-Type": "application/x-www-form-urlencoded"
##[debug]  },
##[debug]  "body": {}
##[debug]}
Warning: Can't add secret mask for empty string in ##[add-mask] command.

Might be ok though?

[tcvall86]

I can try it later tomorrow if you want, if the warning is expected I mean

[sethvargo]

Hi @tcvall86 - yea, that seems unexpected, so I'd like to see the full request and response from the debug logs if possible.

[tcvall86]

Hello @sethvargo,

Here are the sanitized logs with the most recent run
debug.log

[sethvargo]

Hi @tcvall86 - okay it looks like I was expected the wrong response param (accessToken vs access_token). I just pushed up another change - can you try again please?

[tcvall86]

Hello @sethvargo,

Sorry for the late reply here.
Yes it seems the latest version did the trick! No errors. I can also confirm subsequent DWD actions work with the access tokens!

[sethvargo]

Thanks - released v2.1.1