I cannot create a Workload Identity Pool OIDC provider for GitHub Actions in project (PII Removed by Staff). Every attempt (Console, gcloud, REST) fails with:
INVALID_ARGUMENT: The attribute condition must reference one of the provider’s claims.
What I tried
-
Ran minimal gcloud create with only google.subject mapping:
gcloud iam workload-identity-pools providers create-oidc github-oidc-clean
–project=bonnie-lass-florals --location=global --workload-identity-pool=github-pool
–issuer-uri=“https://token.actions.githubusercontent.com”
–attribute-mapping=“google.subject=assertion.sub” --verbosity=debug -
Created a fresh test pool and retried (same error).
-
Tried the REST call with a gcloud access token.
-
Verified tokeninfo shows correct account & scopes.
-
Verified attributeMapping uses only claim references (no CEL expressions).
Representative error JSON:
{
“error”: {
“code”: 400,
“message”: “The attribute condition must reference one of the provider’s claims.”,
“status”: “INVALID_ARGUMENT”
}
}
Audit log insertIds (representative failures):
- 1xne2iadt32q timestamp: 2025-10-28T01:29:33.554607948Z (minimal mapping request)
- 1rkoquqdhik2 timestamp: 2025-10-27T19:46:54.688853721Z (attempt that had a CEL expression in attributeMapping)
Why this blocks me
- I need a working provider to bind the GitHub Actions principalSet to our service account (ci-github-sa) so workflows can authenticate to GCP. This prevents CI deployments.
Request / Questions
- Please investigate why CreateWorkloadIdentityPoolProvider rejects valid payloads (minimal mapping + issuerUri) for this project.
- If there is an org/policy requirement for attributeCondition, tell me the exact expression or mappings required.
- If this is a backend validation bug or residual state from a malformed attempt, please clear any blocking state or advise remediation steps.
Contact / quick info
- Project ID: (PII Removed by Staff)
- Project number: (PII Removed by Staff)
- Active gcloud account: (PII Removed by Staff)
- Repo: (PII Removed by Staff)