actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update troubleshooting docs for Python (#488)
Some checks failed
Release / release (push) Failing after 0s
Details
Test / unit (push) Has been cancelled
Details
Test / direct_workload_identity_federation (macos-latest) (push) Has been cancelled
Details
Test / direct_workload_identity_federation (ubuntu-latest) (push) Has been cancelled
Details
Test / direct_workload_identity_federation (windows-latest) (push) Has been cancelled
Details
Test / workload_identity_federation_through_service_account (macos-latest) (push) Has been cancelled
Details
Test / workload_identity_federation_through_service_account (ubuntu-latest) (push) Has been cancelled
Details
Test / workload_identity_federation_through_service_account (windows-latest) (push) Has been cancelled
Details
Test / credentials_json (macos-latest) (push) Has been cancelled
Details
Test / credentials_json (ubuntu-latest) (push) Has been cancelled
Details
Test / credentials_json (windows-latest) (push) Has been cancelled
Details
Test / docker (push) Has been cancelled
Details

Browse Source 
Closes https://github.com/google-github-actions/auth/pull/487

---------

Co-authored-by: Abhi Srivastava <bits.abhi@gmail.com>
This commit is contained in:
Seth Vargo 2025-06-02 10:48:14 -04:00 committed by GitHub
parent ba79af0395
commit 0920706a19
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -322,7 +322,6 @@ regardless of the authentication mechanism.
"token_format" is "id_token".
<a id="setup"></a>
## Setup

63
docs/EXAMPLES.md
View File

@ -187,6 +187,69 @@ jobs:
run: |-
curl https://myapp-uvehjacqzq.a.run.app \
--header "Authorization: Bearer ${{ steps.auth.outputs.id_token }}"
# Example of using ID token in Python code
- id: 'python-example'
run: |-
python -c "
import os
import requests
# ID token is available as environment variable
id_token = os.environ.get('GOOGLE_ID_TOKEN', '${{ steps.auth.outputs.id_token }}')
# Use the token to invoke a Cloud Run service
response = requests.get(
'https://myapp-uvehjacqzq.a.run.app',
headers={'Authorization': f'Bearer {id_token}'}
)
print(response.text)
"
```
### Using Default Credentials with Scopes in Python
When using Workload Identity Federation with Python libraries, you may need to
add scopes before refreshing credentials:
```yaml
jobs:
job_id:
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: 'actions/checkout@v4'
- id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- id: 'python-auth'
run: |-
python -c "
from google.auth import default
from google.auth.transport.requests import Request
# Get default credentials
credentials, project = default()
# Add scopes before refreshing for impersonation
credentials = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform']
)
# Refresh to get the token
credentials.refresh(request=Request())
# Now you can use the credentials
print(f'Access token: {credentials.token}')
if hasattr(credentials, 'id_token'):
print(f'ID token: {credentials.id_token}')
"
```
[github-markdown-toc]: https://github.blog/changelog/2021-04-13-table-of-contents-support-in-markdown-files/

47
docs/TROUBLESHOOTING.md
View File

@ -230,6 +230,53 @@ tool like `jq`:
cat credentials.json | jq -r tostring
```
<a name="cannot-refresh"></a>
## Cannot refresh credentials to retrieve an ID token
If you get an error like:
```text
google.auth.exceptions.RefreshError: ('Unable to acquire impersonated credentials', '{"error": {"code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT"}}')
```
when trying to refresh credentials in Python code to get an ID token, this is
usually because the credentials are missing required scopes. The Google Auth
library requires scopes to be set when refreshing credentials for impersonation.
To fix this issue, add the required scopes before refreshing:
```python
from google.auth import default
from google.auth.transport.requests import Request
credentials, project = default()
# Add scopes before refreshing
credentials = credentials.with_scopes(
["https://www.googleapis.com/auth/cloud-platform"]
)
credentials.refresh(request=Request())
# Now you can access the ID token
print(credentials.id_token)
```
Alternatively, you can use the `token_format` parameter of this action to
generate an ID token directly:
```yaml
- uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
token_format: 'id_token'
id_token_audience: 'https://example.com'
```
This will export the ID token as an environment variable that you can use in
your Python code.
## Organizational Policy Constraints
> ** NOTE!** Your Google Cloud organization administrator controls these