actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: only emit warning if the lifetime exceeds 1 hour

Browse Source
This commit is contained in:
Seth Vargo 2022-05-16 09:48:11 -04:00
parent ce2cf1ac23
commit f322a0d1e2
No known key found for this signature in database
GPG Key ID: 9C01CC8AB5D3F179
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -158,14 +158,17 @@ workflow. By default, this action does not generate any tokens.
[`constraints/iam.allowServiceAccountCredentialLifetimeExtension`
organization policy][orgpolicy-creds-lifetime] is enabled.
Note: In order to support Domain-Wide Delegation via Workload Identity
Federation, you must grant the external identity ("principalSet")
In order to support Domain-Wide Delegation via Workload Identity Federation,
you must grant the external identity ("principalSet")
`roles/iam.serviceAccountTokenCreator` in addition to
`roles/iam.workloadIdentityUser`. The default Workload Identity setup will
only grant the latter role. If you want to use this GitHub Action with
Domain-Wide Delegation, you must manually add the "Service Account Token
Creator" role onto the external identity.
You will also need to customize the `access_token_scopes` value to
correspond to the OAuth scopes required for the API(s) you will access.
### Generating ID tokens
The following inputs are for _generating_ ID tokens for authenticating to Google

2
docs/TROUBLESHOOTING.md
View File

@ -91,7 +91,7 @@ If you get an error like:
The size of mapped attribute exceeds the 127 bytes limit.
```
it means that the GitHub OIDC token had a claim that exceeded the maximum
it means that the GitHub OIDC token had a claim that exceeded the maximum
allowed value of 127 bytes. In general, 1 byte = 1 character. This most common
reason this occurs is due to long repo names or long branch names.

2
src/main.ts
View File

@ -210,7 +210,7 @@ async function run(): Promise<void> {
// perform Domain-Wide Delegation. Otherwise, use the modern IAM
// Credentials endpoints.
let accessToken, expiration;
if (accessTokenSubject) {
if (accessTokenSubject && accessTokenLifetime > 3600) {
logInfo(
`An access token subject was specified, triggering Domain-Wide ` +
`Delegation flow. This flow does not support specifying an ` +