google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)

Question

The action is failing with the following error... "google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)". I'm not using a service account.

I'm using the “Direct Workload Identity Federation” option as described by the google-github-actions/auth action. I also created my Workload Identity Pool and Provider according to their instructions. All of the help I'm reading talks about service accounts, but the auth action is clear that the "Direct Workload Identity Federation" option does not require a service account.

from the google-github-actions/auth documentation...

    service_account: (Optional) Email address or unique identifier of the Google Cloud service account for which to impersonate and generate credentials. 

Without this input, the GitHub Action will use Direct Workload Identity Federation

Action YAML

name: deploy-k8s-manifests

on:
  push:
    branches:
      - dev
    paths:
      - 'k8s/**'

jobs:
  deploy:
    runs-on: ubuntu-latest

    # Add "id-token" with the intended permissions.
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: Get code
        uses: actions/checkout@v4

      - name: Authenticate with GCP
        id: 'auth'
        uses: google-github-actions/auth@v2
        with:
          project_id: 'my-project'
          workload_identity_provider: 'projects/299900345299/locations/global/workloadIdentityPools/github/providers/my-provider'

      - name: Get GKE credentials
        id: 'get-credentials'
        uses: google-github-actions/get-gke-credentials@v2
        with:
          cluster_name: 'preprod'
          location: 'us-central1'

      - name: Do anything with kubectl
        run: kubectl get pods

Log output

Authenticate with GCP
Run google-github-actions/auth@v2
Created credentials file at "/home/runner/work/my-project/my-project/gha-creds-c9c4d62169250d9a.json"

Get GKE credentials
Run google-github-actions/get-gke-credentials@v2
Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/my-project/locations/us-central1/clusters/preprod".

Any help will be greatly appreciated.

Answer 1

Ok, I finally got this to work, and there is no service account! The following link proved to be the most helpful, filling in the gaps I was missing about assigning IAM roles to WIF stuff. I consider it mandatory reading for authenticating GKE with GitHub Actions - https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#github-actions

In order to run something as simple as "kubectl get pods" after authenticating, I needed to add both "roles/container.clusterViewer" and "roles/container.admin" to... something (read on). I'm sure roles/container.admin was overkill, but it works. I added those roles to what I call in my own head a "WIF scenario" via the following two commands...

gcloud projects add-iam-policy-binding my-project \
--role "roles/container.clusterViewer" \
--member "principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.repository/my-repo"

gcloud projects add-iam-policy-binding my-project \
--role "roles/container.admin" \
--member "principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.repository/my-repo"

What I found most confusing is the member value in the above commands. To help, member can be a user's email (e.g. -- member "user: EMAIL"), which is super easy to understand as someone to assign roles to. In the specific case here, however, member is what I'd call a "WIF scenario". Here's how I think of the above gcloud commands, and not understanding this was my biggest mind-block - "When a call comes through via the specified Workload Identity Federation Pool, AND the token Github Actions sends along with it contains a 'repository' property with a value of 'my-repo', respond with credentials containing the following role(s)." We're binding a particular scenario using a particular WIF pool to a role. The fact the repo name is associated with "attribute.repository" comes from the "Attribute Mapping" on the WIF Provider...

The relevant section you want in the link above is specifically - https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#authenticate. When I first stumbled across SUBJECT, GROUP, and ATTRIBUTE, I was super confused, not understanding what the heck I was supposed to assign a role to. Now I understand that...

• the google-github-actions/auth action sends a request to GCP containing a token (with values GitHub Actions provides for that specific call, described here - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
• you bind IAM roles/permissions to a member described as a call to your WIF Pool containing certain values ("repository" = "my-repo" in my example above)
• subsequent GKE commands have the roles/permissions bound to that "WIF scenario"

No service account involved, just a specific call from GitHub Actions, and some short-lived credentials coming back from GCP.