GitHub and workload-identity-pools providers create-oidc INVALID_ARGUMENT error

Google Cloud Integration Services
1

Hi All

I am trying to set up things to be able to run Actions to query gcloud.
As part of the set up, I have so far been able to Create a Workload Identity Pool but when I try to Create a Workload Identity Provider using the command below, it fails with an “ERROR: (gcloud.iam.workload-identity-pools.providers.create-oidc) INVALID_ARGUMENT: The attribute condition must reference one of the provider’s claims. For more information, see https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#conditions

Command

gcloud iam workload-identity-pools providers create-oidc "github-actions-provider" \
    --project="my-project-name" \
    --location="global" \
    --workload-identity-pool="github-actions" \
    --display-name="GitHub Actions Provider" \
    --issuer-uri="https://token.actions.githubusercontent.com" \
    --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner"

I inspected the OIDC JWT Claims by running the command below and I can confirm the the claims have the sub, repository, actor and repository_owner coming up in the response.

JWL Claims

 "sub": "repo:name/repo_name:ref:refs/heads/main",
"aud": "https://github.com/name",
"ref": "refs/heads/main",
"sha": "40digitsha",
"repository": "owner-name/repo_name",
"repository_owner": "owner-name",
"repository_owner_id": "11111",
"run_id": "10940851174",
"run_number": "6",
"run_attempt": "1",
"repository_visibility": "public",
"repository_id": "1111111",
"actor_id": "111111",
"actor": "name"

Also tried with just one attribute mapping --attribute-mapping=“google.subject=assertion.sub” and it still fails.

Any help is highly appreciated.

Thank you

2

Hi @sam-nash ,

Welcome to Google Cloud Community!

I understand that you are getting an error when you try to create the provider for your Workload Identity Pool. Based on the error you provide, INVALID_ARGUMENT: The attribute condition must reference one of the provider's claims and by looking at your command, it seems that the attribute condition is missing from your command. You must always use an attribute condition to restrict access to tokens issued by your GitHub organization.

You may try to add the --attribute-condition=“assertion.repository.repository_owner == ‘my-github-org’” from your command below, note that the ‘my-github-org’ is just a sample only:

gcloud iam workload-identity-pools providers create-oidc "github-actions-provider" \
  --project="my-project-name" \
  --location="global" \
  --workload-identity-pool="github-actions" \
  --display-name="GitHub Actions Provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
  --attribute-condition="assertion.repository_owner == 'my-github-org'" \
  --issuer-uri="https://token.actions.githubusercontent.com"

For reference, you may also check this security consideration from GitHub.

I hope the above information is helpful.

4 Likes
3

Any idea why this declaration here might not work?

resource "google_iam_workload_identity_pool_provider" "github_provider" {
  project                            = var.project_id
  display_name                       = "GitHub Provider"
  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-provider"
  provider                           = google
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }

  attribute_mapping = {
    "google.subject"             = "assertion.sub"
    "attribute.repository"       = "assertion.repository"
    "attribute.repository_owner" = "assertion.repository_owner"
  }
}

resource "google_service_account_iam_binding" "allow_github" {

  service_account_id = google_service_account.service_account.id
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions_pool.name}/attribute.repository/${var.github_organisation}/my-project",
    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions_pool.name}/attribute.repository_owner/${var.github_organisation}"
  ]
}

The error I keep getting is

│ Error: Error creating WorkloadIdentityPoolProvider: googleapi: Error 400: The attribute condition must reference one of the provider's claims. For more information, see https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#conditions
│ 
│   with google_iam_workload_identity_pool_provider.github_provider,
│   on github-actions-sa.tf line 14, in resource "google_iam_workload_identity_pool_provider" "github_provider":
│   14: resource "google_iam_workload_identity_pool_provider" "github_provider" ***
│

However, from what I can tell, the attribute mapping should be correct.

4

Hi @sfalk ,

Based on the error message

Error: Error creating WorkloadIdentityPoolProvider: googleapi: Error 400: The attribute condition must reference one of the provider's claims. For more information, see https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#conditions

It seems that you need an attribute condition to reference one of the claims.

Based on the google_iam_workload_identity_pool_provider documentation, you could try adding an attribute condition for the respository claim.

See below for an example

resource "google_iam_workload_identity_pool_provider" "github_provider" {
  project                            = var.project_id
  display_name                       = "GitHub Provider"
  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-provider"
  provider                           = google
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }

  attribute_mapping = {
    "google.subject"             = "assertion.sub"
    "attribute.repository"       = "assertion.repository"
    "attribute.repository_owner" = "assertion.repository_owner"
  }
  
  // added this attribute_condition configuration argument
  attribute_condition = "assertion.repository == 'your-repository'"
}