actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: only emit warning if the lifetime exceeds 1 hour

Browse Source
This commit is contained in:
Seth Vargo 2022-05-16 09:48:11 -04:00
parent ce2cf1ac23
commit f322a0d1e2
No known key found for this signature in database
GPG Key ID: 9C01CC8AB5D3F179
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -158,14 +158,17 @@ workflow. By default, this action does not generate any tokens.
[`constraints/iam.allowServiceAccountCredentialLifetimeExtension` [`constraints/iam.allowServiceAccountCredentialLifetimeExtension`
organization policy][orgpolicy-creds-lifetime] is enabled. organization policy][orgpolicy-creds-lifetime] is enabled.
Note: In order to support Domain-Wide Delegation via Workload Identity In order to support Domain-Wide Delegation via Workload Identity Federation,
Federation, you must grant the external identity ("principalSet") you must grant the external identity ("principalSet")
`roles/iam.serviceAccountTokenCreator` in addition to `roles/iam.serviceAccountTokenCreator` in addition to
`roles/iam.workloadIdentityUser`. The default Workload Identity setup will `roles/iam.workloadIdentityUser`. The default Workload Identity setup will
only grant the latter role. If you want to use this GitHub Action with only grant the latter role. If you want to use this GitHub Action with
Domain-Wide Delegation, you must manually add the "Service Account Token Domain-Wide Delegation, you must manually add the "Service Account Token
Creator" role onto the external identity. Creator" role onto the external identity.
You will also need to customize the `access_token_scopes` value to
correspond to the OAuth scopes required for the API(s) you will access.
### Generating ID tokens ### Generating ID tokens
The following inputs are for _generating_ ID tokens for authenticating to Google The following inputs are for _generating_ ID tokens for authenticating to Google

2
docs/TROUBLESHOOTING.md
View File

@ -91,7 +91,7 @@ If you get an error like:
The size of mapped attribute exceeds the 127 bytes limit. The size of mapped attribute exceeds the 127 bytes limit.
``` ```
it means that the GitHub OIDC token had a claim that exceeded the maximum it means that the GitHub OIDC token had a claim that exceeded the maximum
allowed value of 127 bytes. In general, 1 byte = 1 character. This most common allowed value of 127 bytes. In general, 1 byte = 1 character. This most common
reason this occurs is due to long repo names or long branch names. reason this occurs is due to long repo names or long branch names.

2
src/main.ts
View File

@ -210,7 +210,7 @@ async function run(): Promise<void> {
// perform Domain-Wide Delegation. Otherwise, use the modern IAM // perform Domain-Wide Delegation. Otherwise, use the modern IAM
// Credentials endpoints. // Credentials endpoints.
let accessToken, expiration; let accessToken, expiration;
if (accessTokenSubject) { if (accessTokenSubject && accessTokenLifetime > 3600) {
logInfo( logInfo(
`An access token subject was specified, triggering Domain-Wide ` + `An access token subject was specified, triggering Domain-Wide ` +
`Delegation flow. This flow does not support specifying an ` + `Delegation flow. This flow does not support specifying an ` +