Invalid value for "audience"

[PSchnurbus24]

TL;DR

Auth is not working. Invalid value for "audience"

Expected behavior

Working example code

Observed behavior

ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')

Action YAML

name: GCP OIDC
on:
  push:

jobs:
  Get_OIDC_ID_token:
    runs-on: ubuntu-latest
    environment:
      name: dev-cluster
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
    # Install gcloud, do not specify authentication.
    - uses: 'google-github-actions/setup-gcloud@master'
      with:
        project_id: ${{ secrets.GCP_PROJECT }}

    - id: 'auth'
      name: 'Authenticate to GCP'
      uses: 'google-github-actions/auth@v0.4.0'
      with:
        create_credentials_file: true
        #token_format: access_token
        workload_identity_provider: ${{ secrets.GCP_OIDC_ID_PROVIDER }}
        service_account: ${{ secrets.GCP_OIDC_SA}}

    - id: 'gcloud'
      name: 'gcloud'
      run: |-
        gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"

        # Now you can run gcloud commands authenticated as the impersonated service account.
        gcloud secrets versions access "latest" --secret "TEST_SECRET"

Log output

2021-11-25T14:53:24.4249793Z Found online and idle hosted runner in the current repository's enterprise account that matches the required labels: 'ubuntu-latest'
2021-11-25T14:53:24.4921602Z Waiting for a Hosted runner in the 'enterprise' to pick this job...
2021-11-25T14:53:24.6012107Z Job is waiting for a hosted runner to come online.
2021-11-25T14:53:28.2866434Z Job is about to start running on the hosted runner: GitHub Actions 17 (hosted)
2021-11-25T14:53:32.2336114Z Current runner version: '2.284.0'
2021-11-25T14:53:32.2369044Z ##[group]Operating System
2021-11-25T14:53:32.2370224Z Ubuntu
2021-11-25T14:53:32.2370802Z 20.04.3
2021-11-25T14:53:32.2371363Z LTS
2021-11-25T14:53:32.2371994Z ##[endgroup]
2021-11-25T14:53:32.2372679Z ##[group]Virtual Environment
2021-11-25T14:53:32.2373595Z Environment: ubuntu-20.04
2021-11-25T14:53:32.2374260Z Version: 20211122.1
2021-11-25T14:53:32.2375711Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211122.1/images/linux/Ubuntu2004-README.md
2021-11-25T14:53:32.2377431Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211122.1
2021-11-25T14:53:32.2378480Z ##[endgroup]
2021-11-25T14:53:32.2379264Z ##[group]Virtual Environment Provisioner
2021-11-25T14:53:32.2380103Z 1.0.0.0-master-20211123-1
2021-11-25T14:53:32.2380791Z ##[endgroup]
2021-11-25T14:53:32.2382371Z ##[group]GITHUB_TOKEN Permissions
2021-11-25T14:53:32.2383860Z Contents: read
2021-11-25T14:53:32.2384546Z Metadata: read
2021-11-25T14:53:32.2385325Z ##[endgroup]
2021-11-25T14:53:32.2388989Z Prepare workflow directory
2021-11-25T14:53:32.3062100Z Prepare all required actions
2021-11-25T14:53:32.3073335Z Getting action download info
2021-11-25T14:53:32.5454727Z Download action repository 'google-github-actions/setup-gcloud@master' (SHA:b8f95eb7d716bf9a715eafd169162b93f69ed520)
2021-11-25T14:53:34.4862198Z Download action repository 'google-github-actions/auth@v0.4.0' (SHA:a61909d048e0be579b6c15b27088d19668493851)
2021-11-25T14:53:34.9136477Z ##[group]Run google-github-actions/setup-gcloud@master
2021-11-25T14:53:34.9137476Z with:
2021-11-25T14:53:34.9138247Z   project_id: ***
2021-11-25T14:53:34.9138812Z   version: latest
2021-11-25T14:53:34.9139499Z   export_default_credentials: false
2021-11-25T14:53:34.9140166Z ##[endgroup]
2021-11-25T14:53:35.9236231Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/ee0bbbc1-8045-4cfb-9e13-77d6069c0a60 -f /home/runner/work/_temp/a40071b6-8738-42d3-ae17-e62ad83ea1ee
2021-11-25T14:53:47.1378275Z Successfully set default project
2021-11-25T14:53:47.1383366Z No credentials provided, skipping authentication
2021-11-25T14:53:47.1638461Z ##[group]Run google-github-actions/auth@v0.4.0
2021-11-25T14:53:47.1639147Z with:
2021-11-25T14:53:47.1639665Z   create_credentials_file: true
2021-11-25T14:53:47.1641576Z   workload_identity_provider: ***
2021-11-25T14:53:47.1642723Z   service_account: ***
2021-11-25T14:53:47.1643268Z   access_token_lifetime: 3600s
2021-11-25T14:53:47.1644151Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2021-11-25T14:53:47.1645046Z   id_token_include_email: false
2021-11-25T14:53:47.1645523Z env:
2021-11-25T14:53:47.1646281Z   CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.1647064Z ##[endgroup]
2021-11-25T14:53:47.3012596Z 
2021-11-25T14:53:47.3054061Z 
2021-11-25T14:53:47.3190530Z ##[group]Run gcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"
2021-11-25T14:53:47.3191684Z �[36;1mgcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"�[0m
2021-11-25T14:53:47.3192366Z �[36;1m�[0m
2021-11-25T14:53:47.3193135Z �[36;1m# Now you can run gcloud commands authenticated as the impersonated service account.�[0m
2021-11-25T14:53:47.3194147Z �[36;1mgcloud secrets versions access "latest" --secret "TEST_SECRET"�[0m
2021-11-25T14:53:47.3244473Z shell: /usr/bin/bash -e {0}
2021-11-25T14:53:47.3244976Z env:
2021-11-25T14:53:47.3245758Z   CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.3246860Z   CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3247842Z   GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3248745Z   CLOUDSDK_PROJECT: ***
2021-11-25T14:53:47.3249388Z   CLOUDSDK_CORE_PROJECT: ***
2021-11-25T14:53:47.3249974Z   GCP_PROJECT: ***
2021-11-25T14:53:47.3250522Z   GCLOUD_PROJECT: ***
2021-11-25T14:53:47.3251326Z   GOOGLE_CLOUD_PROJECT: ***
2021-11-25T14:53:47.3251815Z ##[endgroup]
2021-11-25T14:53:48.1078158Z ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')
2021-11-25T14:53:48.1082725Z 
2021-11-25T14:53:48.1083439Z If you would like to report this issue, please run the following command:
2021-11-25T14:53:48.1086686Z   gcloud feedback
2021-11-25T14:53:48.1089104Z 
2021-11-25T14:53:48.1089997Z To check gcloud for common problems, please run the following command:
2021-11-25T14:53:48.1093474Z   gcloud info --run-diagnostics
2021-11-25T14:53:48.2073244Z ##[error]Process completed with exit code 1.
2021-11-25T14:53:48.2107427Z Cleaning up orphan processes

Additional information

No response

[sethvargo]

What is the value of secrets.GCP_OIDC_ID_PROVIDER? Are you sure the secret is being injected into the environment?

[PSchnurbus24]

Hi,

it is "projects/123456789012/locations/global/workloadIdentityPools/pool-name". I have also tried with the value directly in the workflow.

[sethvargo]

That's a pool, not a provider. You need to use the full provider ID which is of the format:

projects/<number>/locations/global/workloadIdentityPools/<pool>/providers/<provider>