TL;DR
Action should better integrate with auth action that did not detect project id.
Detailed design
Such setup:
- id: auth
name: GCP OIDC
uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/redacted/locations/global/workloadIdentityPools/github/providers/github'
- id: secrets
name: GCP SM Read
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: REDACTEDWill result in: failed to access secret "redacted/versions/latest": the caller does not have permission
Adding project_id: 'redacted' to the auth step resolves thi sissue completly.
It was nightmare to debug, because when using google-github-actions/setup-gcloud@v3 and then running gcloud secrets versions access latest --secret redacted --project=redacted worked fine.
I know that auth action has warning for the missing project ID, but it is too subtle IMO.
Additionally it is very easy to waste time debugging such access due to copy pasting CLI commands that may include project id anyway (like I did)
Additional information
I would love to see that this action somehow detects that I am using your auth action and verifies that project id is present or at least add such warning about missing project id there too.
TL;DR
Action should better integrate with auth action that did not detect project id.
Detailed design
Such setup:
Will result in:
failed to access secret "redacted/versions/latest": the caller does not have permissionAdding
project_id: 'redacted'to the auth step resolves thi sissue completly.It was nightmare to debug, because when using
google-github-actions/setup-gcloud@v3and then runninggcloud secrets versions access latest --secret redacted --project=redactedworked fine.I know that auth action has warning for the missing project ID, but it is too subtle IMO.
Additionally it is very easy to waste time debugging such access due to copy pasting CLI commands that may include project id anyway (like I did)
Additional information
I would love to see that this action somehow detects that I am using your auth action and verifies that project id is present or at least add such warning about missing project id there too.