Question posted in 
The action is failing with the following error… "google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)". I’m not using a service account.
I’m using the “Direct Workload Identity Federation” option as described by the google-github-actions/auth action. I also created my Workload Identity Pool and Provider according to their instructions. All of the help I’m reading talks about service accounts, but the auth action is clear that the "Direct Workload Identity Federation" option does not require a service account.
from the google-github-actions/auth documentation…
service_account: (Optional) Email address or unique identifier of the Google Cloud service account for which to impersonate and generate credentials.
Without this input, the GitHub Action will use Direct Workload Identity Federation
Action YAML
name: deploy-k8s-manifests
on:
push:
branches:
- dev
paths:
- 'k8s/**'
jobs:
deploy:
runs-on: ubuntu-latest
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Get code
uses: actions/checkout@v4
- name: Authenticate with GCP
id: 'auth'
uses: google-github-actions/auth@v2
with:
project_id: 'my-project'
workload_identity_provider: 'projects/299900345299/locations/global/workloadIdentityPools/github/providers/my-provider'
- name: Get GKE credentials
id: 'get-credentials'
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: 'preprod'
location: 'us-central1'
- name: Do anything with kubectl
run: kubectl get pods
Log output
Authenticate with GCP
Run google-github-actions/auth@v2
Created credentials file at "/home/runner/work/my-project/my-project/gha-creds-c9c4d62169250d9a.json"
Get GKE credentials
Run google-github-actions/get-gke-credentials@v2
Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/my-project/locations/us-central1/clusters/preprod".
Any help will be greatly appreciated.
2
Answers
Ok, I finally got this to work, and there is no service account! The following link proved to be the most helpful, filling in the gaps I was missing about assigning IAM roles to WIF stuff. I consider it mandatory reading for authenticating GKE with GitHub Actions - https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#github-actions
In order to run something as simple as "kubectl get pods" after authenticating, I needed to add both "roles/container.clusterViewer" and "roles/container.admin" to... something (read on). I'm sure roles/container.admin was overkill, but it works. I added those roles to what I call in my own head a "WIF scenario" via the following two commands...
What I found most confusing is the member value in the above commands. To help, member can be a user's email (e.g. -- member "user: EMAIL"), which is super easy to understand as someone to assign roles to. In the specific case here, however, member is what I'd call a "WIF scenario". Here's how I think of the above gcloud commands, and not understanding this was my biggest mind-block - "When a call comes through via the specified Workload Identity Federation Pool, AND the token Github Actions sends along with it contains a 'repository' property with a value of 'my-repo', respond with credentials containing the following role(s)." We're binding a particular scenario using a particular WIF pool to a role. The fact the repo name is associated with "attribute.repository" comes from the "Attribute Mapping" on the WIF Provider...
The relevant section you want in the link above is specifically - https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#authenticate. When I first stumbled across SUBJECT, GROUP, and ATTRIBUTE, I was super confused, not understanding what the heck I was supposed to assign a role to. Now I understand that...
No service account involved, just a specific call from GitHub Actions, and some short-lived credentials coming back from GCP.
As per the error message, it states that the permission to use "container.clusters.get" credential is required, also indicates that the WFI configuration does not have necessary permissions for the GitHub Actions workflow to access your GKE cluster.
“Direct Workload Identity Federation” allows your GitHub Actions workflow to access Google Cloud resources without the need for service accounts, because of that the default credentials being used by the action do not have the necessary permissions to access the GKE cluster.
In order to fix this issue please follow the below steps:
Please ensure that the activity is using the default credentials, which have the right rights to access the GKE clusters.
Please be noted that IAM roles assigned to the default credentials include the necessary permissions such as the “Kubernetes Engine Cluster Admin” or “roles/container.admin” role and grant permissions to Workload Identity Provider. Please refer to Create IAM allow policies for more details.
If you want to know more about the roles you can set/add to your service accounts, see how to include the pre-defined roles for kubernetes).
Note : Check the project_id and location in your GitHub Actions workflow matches the same project and region where your GKE cluster is located.