actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

doc: add more troubleshooting (#132)

Browse Source
This commit is contained in:
Seth Vargo 2022-02-03 15:25:36 -05:00 committed by GitHub
parent 48c46e6a59
commit f9dc3d62d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/TROUBLESHOOTING.md
View File

@ -56,6 +56,28 @@ some common sources of errors:
Account on an attribute unless you map that value from the incoming GitHub Account on an attribute unless you map that value from the incoming GitHub
OIDC token. OIDC token.
1. Check the specific error message that is returned.
- If the error message includes "failed to generate Google Cloud federated
token", it means admission into the Workload Identity Pool failed. Check
your [**Attribute Conditions**][attribute-conditions].
- If the error message inclues "failed to generate Google Cloud access
token", it means Service Account Impersonation failed. Check your
[**Service Account Impersonation**][sa-impersonation] settings and
ensure the principalSet is correct.
1. Enable `Admin Read`, `Data Read`, and `Data Write` [Audit Logging][cal] for
Identity and Access Management (IAM) in your Google Cloud project.
**Warning!** This will increase log volume which may increase costs. To keep
costs low, you can disable this audit logging after you have debugged the
issue.
Try to authenticate again, and then explore the logs for your Workload
Identity Provider and Workload Identity Pool. Sometimes these error messages
are helpful in hinting at the root problem.
1. Ensure you have waited at least 5 minutes between making changes to the 1. Ensure you have waited at least 5 minutes between making changes to the
Workload Identity Pool and Workload Identity Provider. Changes to these Workload Identity Pool and Workload Identity Provider. Changes to these
resources are eventually consistent. resources are eventually consistent.
@ -124,6 +146,9 @@ ways to fix this issue:
5. Push 5. Push
``` ```
[attribute-conditions]: https://cloud.google.com/iam/docs/workload-identity-federation#conditions
[sa-impersonation]: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation
[debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging [debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
[iam-feedback]: https://cloud.google.com/iam/docs/getting-support [iam-feedback]: https://cloud.google.com/iam/docs/getting-support
[wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation [wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation
[cal]: https://cloud.google.com/logging/docs/audit/configure-data-access