Workload Identity Federation fails with "storage.buckets.get" during Cloud Run deployment

[ianshaloom]

TL;DR

Deployment fails when using Workload Identity Federation (no service account keys) with a Storage bucket permission error, even though the linked identity has storage.objectAdmin.

Expected behavior

Deployment should succeed with assigned roles/storage.objectAdmin.

Observed behavior

Fails at gcloud run deploy with Storage error:

ERROR: Permission 'storage.buckets.get' denied on bucket [run-sources-kaisa-341a6-europe-west1].

Action YAML

name: 'Deploy to Cloud Run from Source'

on:
  push:
    branches:
      - 'main'

env:
  PROJECT_ID: 'kaisa-341a6'
  REGION: 'europe-west1'
  SERVICE: 'kaisa-backend'

jobs:
  deploy:
    runs-on: 'ubuntu-latest'

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@v4' #  actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

      # Setup Dart SDK
      - name: 'Setup Dart SDK'
        uses: 'dart-lang/setup-dart@v1'
        with:
          sdk: 'stable' # Or a specific version like '3.3.0'

      # Install Dart Frog CLI
      - name: 'Install Dart Frog CLI'
        run: dart pub global activate dart_frog_cli

      # Build Dart Frog API for production
      - name: 'Build Dart Frog API'
        run: dart_frog build

      # Configure Workload Identity Federation and generate an access token.
      #
      # See https://github.com/google-github-actions/auth for more options,
      # including authenticating via a JSON credentials file.
      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
        with:
          project_id: ${{ env.PROJECT_ID }}
          workload_identity_provider: 'projects/818180271880/locations/global/workloadIdentityPools/github-new/providers/kaisa-backend'

      - name: 'Deploy to Cloud Run'
        uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
        with:
          service: '${{ env.SERVICE }}'
          region: '${{ env.REGION }}'
          # NOTE: If using a different source folder, update the image name below:
          source: './build'

          # Pass environment variables to the Cloud Run service
          env_vars:
            PROJECT_ID=kaisa-341a6,
            CLIENT_ID=106516496796169185313,
            CLIENT_EMAIL=firebase-adminsdk-n9pg2@kaisa-341a6.iam.gserviceaccount.com,
            SUPABASE_URL=https://pwidexezddkyfygwvevb.supabase.co

          secrets:
            PRIVATE_KEY=PRIVATE_KEY:latest,
            SUPABASE_ANON_KEY=SUPABASE_ANON_KEY:latest
#          env_vars: |
#            PROJECT_ID=${{ env.PROJECT_ID }}
#            CLIENT_ID=106516496796169185313
#            CLIENT_EMAIL=firebase-adminsdk-n9pg2@kaisa-341a6.iam.gserviceaccount.com
#            SUPABASE_URL=https://pwidexezddkyfygwvevb.supabase.co
#
#          # Secrets are pulled from Google Cloud Secret Manager
#          # Since your secrets in Secret Manager are already named SUPABASE_ANON_KEY and PRIVATE_KEY,
#          # you can directly map them to environment variables with the same names.
#          secrets: |
#            PRIVATE_KEY=PRIVATE_KEY:latest
#            SUPABASE_ANON_KEY=SUPABASE_ANON_KEY:latest

      # If required, use the Cloud Run URL output in later steps
      - name: 'Show output'
        run: |-
          echo ${{ steps.deploy.outputs.url }}

Log output

google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy kaisa-backend --source ./build --update-env-vars ^,^PROJECT_ID=kaisa-341a6,CLIENT_ID=106516496796169185313,CLIENT_EMAIL=firebase-adminsdk-n9pg2@kaisa-341a6.iam.gserviceaccount.com,SUPABASE_URL=https://pwidexezddkyfygwvevb.supabase.co --update-secrets ^,^PRIVATE_KEY=PRIVATE_KEY:latest,SUPABASE_ANON_KEY=SUPABASE_ANON_KEY:latest --update-labels ^,^managed-by=github-actions,commit-sha=d50c9410025e20fe18c405fb0b9c07a036aca8d1 --format json --region europe-west1`: Building using Dockerfile and deploying container to Cloud Run service [kaisa-backend] in project [kaisa-341a6] region [europe-west1]
Building and deploying...
Uploading sources...............failed
Deployment failed
ERROR: (gcloud.run.deploy) [principal://iam.googleapis.com/projects/818180271880/locations/global/workloadIdentityPools/github-new/subject/repo:naimoolsha/kaisa-backend:ref:refs/heads/main] does not have permission to access b instance [run-sources-kaisa-341a6-europe-west1] (or it may not exist): Caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist). This command is authenticated as principal://iam.googleapis.com/projects/818180271880/locations/global/workloadIdentityPools/github-new/subject/repo:naimoolsha/kaisa-backend:ref:refs/heads/main using the credentials in /home/runner/work/kaisa-backend/kaisa-backend/gha-creds-d7d45b0737d893b1.json, specified by the [auth/credential_file_override] property.

Additional information

[github-actions]

Hi there @ianshaloom 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @ianshaloom - roles/storage.objectAdmin does not include any buckets permissions: https://cloud.google.com/storage/docs/access-control/iam-roles#storage.objectAdmin. You would need to also grant roles/storage.bucketViewer: https://cloud.google.com/storage/docs/access-control/iam-roles#storage.bucketViewer or use a custom role.