Extended token lifetime from auth doesn't work

[mowies]

TL;DR

I am using google-github-actions/auth with the following settings:

credentials_json: <my-secret-json-token-file>
access_token_lifetime: "7200s"
token_format: "access_token"

After that, I use the get-gke-credentials action to get my kubeconfig. I assumed that I can use that kubeconfig for the above set 7200s (2h) but instead, my pipeline still fails exactly after (the default) 1h with unauthorized errors.

Expected behavior

I can use my kube config for 2h, since I set my token in the auth action to be valid for 2h.

Observed behavior

My pipeline starts failing with unauthorized errors exactly after 1h.
I checked the debug logs of my pipeline and the access token is indeed showing an expiration time of 2h. So I assume that the get-gke-credentials action uses a different token somehow?

Action YAML

- name: Authenticate to Google Cloud
  uses: google-github-actions/auth@v0.8.0
  with:
    credentials_json: <my-secret-json-token>
    access_token_lifetime: "7200s"
    token_format: "access_token"

- name: Get Kubeconfig
  uses: google-github-actions/get-gke-credentials@v0.7.0
  with:
    cluster_name: ${{ matrix.CLUSTER_NAME }}
    location: "my-gcp-zone"

Log output

Logs from google-github-actions/auth

2022-07-04T07:05:55.7047634Z ##[debug]Evaluating condition for step: 'Authenticate to Google Cloud'
2022-07-04T07:05:55.7048699Z ##[debug]Evaluating: (success() && (env.CLOUD_PROVIDER == 'GKE'))
2022-07-04T07:05:55.7049066Z ##[debug]Evaluating And:
2022-07-04T07:05:55.7049410Z ##[debug]..Evaluating success:
2022-07-04T07:05:55.7049750Z ##[debug]..=> true
2022-07-04T07:05:55.7050071Z ##[debug]..Evaluating Equal:
2022-07-04T07:05:55.7050414Z ##[debug]....Evaluating Index:
2022-07-04T07:05:55.7050726Z ##[debug]......Evaluating env:
2022-07-04T07:05:55.7051040Z ##[debug]......=> Object
2022-07-04T07:05:55.7051367Z ##[debug]......Evaluating String:
2022-07-04T07:05:55.7051704Z ##[debug]......=> 'CLOUD_PROVIDER'
2022-07-04T07:05:55.7052030Z ##[debug]....=> 'GKE'
2022-07-04T07:05:55.7052353Z ##[debug]....Evaluating String:
2022-07-04T07:05:55.7052641Z ##[debug]....=> 'GKE'
2022-07-04T07:05:55.7052927Z ##[debug]..=> true
2022-07-04T07:05:55.7053211Z ##[debug]=> true
2022-07-04T07:05:55.7053654Z ##[debug]Expanded: (true && ('GKE' == 'GKE'))
2022-07-04T07:05:55.7054067Z ##[debug]Result: true
2022-07-04T07:05:55.7054546Z ##[debug]Starting: Authenticate to Google Cloud
2022-07-04T07:05:55.7076877Z ##[debug]Register post job cleanup for action: google-github-actions/auth@v0.8.0
2022-07-04T07:05:55.7084038Z ##[debug]Loading inputs
2022-07-04T07:05:55.7085202Z ##[debug]Evaluating: secrets.GCLOUD_RESTRICTED_SERVICE_KEY
2022-07-04T07:05:55.7085548Z ##[debug]Evaluating Index:
2022-07-04T07:05:55.7085796Z ##[debug]..Evaluating secrets:
2022-07-04T07:05:55.7086094Z ##[debug]..=> Object
2022-07-04T07:05:55.7086336Z ##[debug]..Evaluating String:
2022-07-04T07:05:55.7086610Z ##[debug]..=> 'GCLOUD_RESTRICTED_SERVICE_KEY'
2022-07-04T07:05:55.7294527Z ##[debug]=> '***'
2022-07-04T07:05:55.7503890Z ##[debug]Result: '***'
2022-07-04T07:05:55.7510596Z ##[debug]Loading env
2022-07-04T07:05:55.7515263Z ##[group]Run google-github-actions/auth@v0.8.0
2022-07-04T07:05:55.7515520Z with:
2022-07-04T07:05:55.7720813Z   credentials_json: ***
2022-07-04T07:05:55.7721078Z   access_token_lifetime: 7200s
2022-07-04T07:05:55.7721340Z   token_format: access_token
2022-07-04T07:05:55.7721589Z   create_credentials_file: true
2022-07-04T07:05:55.7721853Z   export_environment_variables: true
2022-07-04T07:05:55.7722114Z   cleanup_credentials: true
2022-07-04T07:05:55.7722450Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-07-04T07:05:55.7722748Z   retries: 0
2022-07-04T07:05:55.7722958Z   id_token_include_email: false
2022-07-04T07:05:55.7723172Z env:
2022-07-04T07:05:55.7723387Z   META_KEPTN_VERSION: 0.13.2
2022-07-04T07:05:55.7723635Z   META_KEPTN_KEPTN_PROJECT: keptn
2022-07-04T07:05:55.7723877Z   CLOUD_PROVIDER: GKE
2022-07-04T07:05:55.7724104Z   PLATFORM: kubernetes
2022-07-04T07:05:55.7724536Z   PLATFORM_VERSION: 1.22
2022-07-04T07:05:55.7724765Z   KUBECONFIG: 
2022-07-04T07:05:55.7724998Z   KEPTN_NAMESPACE: keptn-test-2396-2
2022-07-04T07:05:55.7725269Z   KEPTN_SERVICE_TYPE: LoadBalancer
2022-07-04T07:05:55.7725531Z   RUN_CONTINUOUS_DELIVERY_TEST: true
2022-07-04T07:05:55.7725781Z   RUN_AIRGAPPED_TEST: 
2022-07-04T07:05:55.7726094Z   AIRGAPPED_REGISTRY_URL: k3d-container-registry.localhost:12345
2022-07-04T07:05:55.7726415Z   REMOTE_EXECUTION_PLANE: false
2022-07-04T07:05:55.7726669Z   COLLECT_RESOURCE_LIMITS: true
2022-07-04T07:05:55.7726906Z   GO_VERSION: ~1.18
2022-07-04T07:05:55.7727154Z   TEST_REPORT_FOLDER: test-reports-GKE-1.22
2022-07-04T07:05:55.7727451Z   FINAL_TEST_REPORT_FOLDER: test-reports
2022-07-04T07:05:55.7727787Z   FINAL_TEST_REPORT_PATH: test-reports/test-report-final-GKE-1.22.log
2022-07-04T07:05:55.7728193Z   TEST_REPORT_FILENAME_SUFFIX: test-report-2607468287-kubernetes-GKE-1.22.log
2022-07-04T07:05:55.7728509Z   BRANCH: master
2022-07-04T07:05:55.7728727Z   BRANCH_SLUG: master
2022-07-04T07:05:55.7728952Z   BUILD_EVERYTHING: true
2022-07-04T07:05:55.7729191Z   VERSION: 0.17.0-dev.202206301240
2022-07-04T07:05:55.7729406Z   DATETIME: 202206301240
2022-07-04T07:05:55.7729621Z   GIT_SHA: 6a0e1bec1
2022-07-04T07:05:55.7729835Z ##[endgroup]
2022-07-04T07:05:55.8627699Z ##[debug]Using credentials JSON
2022-07-04T07:05:55.8635296Z ##[debug]Creating credentials file
2022-07-04T07:05:55.8669079Z Created credentials file at "/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json"
2022-07-04T07:05:55.8671069Z 
2022-07-04T07:05:55.8673872Z ::set-output name=credentials_file_path::/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:05:55.8674465Z ##[debug]='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.8680521Z 
2022-07-04T07:05:55.8682178Z ::set-output name=project_id::***
2022-07-04T07:05:55.8682500Z ##[debug]='***'
2022-07-04T07:05:55.8688181Z ##[debug]Creating access token
2022-07-04T07:05:55.9434913Z ::add-mask::***
2022-07-04T07:05:55.9437129Z 
2022-07-04T07:05:55.9443389Z ::set-output name=access_token::***
2022-07-04T07:05:55.9448712Z ##[debug]='***'
2022-07-04T07:05:55.9449094Z 
2022-07-04T07:05:55.9449653Z ::set-output name=access_token_expiration::2022-07-04T09:05:55Z
2022-07-04T07:05:55.9449937Z ##[debug]='2022-07-04T09:05:55Z'
2022-07-04T07:05:55.9522710Z ##[debug]Node Action run completed with exit code 0
2022-07-04T07:05:55.9524139Z ##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9524611Z ##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9525028Z ##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9525368Z ##[debug]CLOUDSDK_CORE_PROJECT='***'
2022-07-04T07:05:55.9525645Z ##[debug]CLOUDSDK_PROJECT='***'
2022-07-04T07:05:55.9525919Z ##[debug]GCLOUD_PROJECT='***'
2022-07-04T07:05:55.9526182Z ##[debug]GCP_PROJECT='***'
2022-07-04T07:05:55.9526442Z ##[debug]GOOGLE_CLOUD_PROJECT='***'
2022-07-04T07:05:55.9527453Z ##[debug]Finishing: Authenticate to Google Cloud






Logs from google-github-actions/get-gke-credentials

2022-07-04T07:06:10.3527132Z ##[debug]Evaluating condition for step: 'Get Kubeconfig'
2022-07-04T07:06:10.3528757Z ##[debug]Evaluating: (success() && (env.CLOUD_PROVIDER == 'GKE'))
2022-07-04T07:06:10.3529199Z ##[debug]Evaluating And:
2022-07-04T07:06:10.3529548Z ##[debug]..Evaluating success:
2022-07-04T07:06:10.3530010Z ##[debug]..=> true
2022-07-04T07:06:10.3530346Z ##[debug]..Evaluating Equal:
2022-07-04T07:06:10.3530701Z ##[debug]....Evaluating Index:
2022-07-04T07:06:10.3531040Z ##[debug]......Evaluating env:
2022-07-04T07:06:10.3531367Z ##[debug]......=> Object
2022-07-04T07:06:10.3531713Z ##[debug]......Evaluating String:
2022-07-04T07:06:10.3532068Z ##[debug]......=> 'CLOUD_PROVIDER'
2022-07-04T07:06:10.3532441Z ##[debug]....=> 'GKE'
2022-07-04T07:06:10.3532776Z ##[debug]....Evaluating String:
2022-07-04T07:06:10.3533090Z ##[debug]....=> 'GKE'
2022-07-04T07:06:10.3533396Z ##[debug]..=> true
2022-07-04T07:06:10.3533675Z ##[debug]=> true
2022-07-04T07:06:10.3534155Z ##[debug]Expanded: (true && ('GKE' == 'GKE'))
2022-07-04T07:06:10.3534608Z ##[debug]Result: true
2022-07-04T07:06:10.3535226Z ##[debug]Starting: Get Kubeconfig
2022-07-04T07:06:10.3552359Z ##[debug]Loading inputs
2022-07-04T07:06:10.3553459Z ##[debug]Evaluating: matrix.CLUSTER_NAME
2022-07-04T07:06:10.3553746Z ##[debug]Evaluating Index:
2022-07-04T07:06:10.3554007Z ##[debug]..Evaluating matrix:
2022-07-04T07:06:10.3554258Z ##[debug]..=> Object
2022-07-04T07:06:10.3554508Z ##[debug]..Evaluating String:
2022-07-04T07:06:10.3554754Z ##[debug]..=> 'CLUSTER_NAME'
2022-07-04T07:06:10.3555074Z ##[debug]=> '***'
2022-07-04T07:06:10.3555403Z ##[debug]Result: '***'
2022-07-04T07:06:10.3557618Z ##[debug]Loading env
2022-07-04T07:06:10.3562072Z ##[group]Run google-github-actions/get-gke-credentials@v0.7.0
2022-07-04T07:06:10.3562368Z with:
2022-07-04T07:06:10.3562607Z   cluster_name: ***
2022-07-04T07:06:10.3562877Z   location: ***
2022-07-04T07:06:10.3563116Z   use_auth_provider: false
2022-07-04T07:06:10.3563366Z   use_internal_ip: false
2022-07-04T07:06:10.3563583Z env:
2022-07-04T07:06:10.3563795Z   META_KEPTN_VERSION: 0.13.2
2022-07-04T07:06:10.3564051Z   META_KEPTN_KEPTN_PROJECT: keptn
2022-07-04T07:06:10.3564297Z   CLOUD_PROVIDER: GKE
2022-07-04T07:06:10.3564528Z   PLATFORM: kubernetes
2022-07-04T07:06:10.3564761Z   PLATFORM_VERSION: 1.22
2022-07-04T07:06:10.3564988Z   KUBECONFIG: 
2022-07-04T07:06:10.3565234Z   KEPTN_NAMESPACE: keptn-test-2396-2
2022-07-04T07:06:10.3565510Z   KEPTN_SERVICE_TYPE: LoadBalancer
2022-07-04T07:06:10.3565775Z   RUN_CONTINUOUS_DELIVERY_TEST: true
2022-07-04T07:06:10.3566013Z   RUN_AIRGAPPED_TEST: 
2022-07-04T07:06:10.3566328Z   AIRGAPPED_REGISTRY_URL: k3d-container-registry.localhost:12345
2022-07-04T07:06:10.3566651Z   REMOTE_EXECUTION_PLANE: false
2022-07-04T07:06:10.3566905Z   COLLECT_RESOURCE_LIMITS: true
2022-07-04T07:06:10.3567141Z   GO_VERSION: ~1.18
2022-07-04T07:06:10.3567409Z   TEST_REPORT_FOLDER: test-reports-GKE-1.22
2022-07-04T07:06:10.3567706Z   FINAL_TEST_REPORT_FOLDER: test-reports
2022-07-04T07:06:10.3568161Z   FINAL_TEST_REPORT_PATH: test-reports/test-report-final-GKE-1.22.log
2022-07-04T07:06:10.3568581Z   TEST_REPORT_FILENAME_SUFFIX: test-report-2607468287-kubernetes-GKE-1.22.log
2022-07-04T07:06:10.3568902Z   BRANCH: master
2022-07-04T07:06:10.3569125Z   BRANCH_SLUG: master
2022-07-04T07:06:10.3569359Z   BUILD_EVERYTHING: true
2022-07-04T07:06:10.3569605Z   VERSION: 0.17.0-dev.202206301240
2022-07-04T07:06:10.3569839Z   DATETIME: 202206301240
2022-07-04T07:06:10.3570056Z   GIT_SHA: 6a0e1bec1
2022-07-04T07:06:10.3570414Z   CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3570883Z   GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3571318Z   GOOGLE_GHA_CREDS_PATH: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3571660Z   CLOUDSDK_CORE_PROJECT: ***
2022-07-04T07:06:10.3571932Z   CLOUDSDK_PROJECT: ***
2022-07-04T07:06:10.3572295Z   GCLOUD_PROJECT: ***
2022-07-04T07:06:10.3572547Z   GCP_PROJECT: ***
2022-07-04T07:06:10.3572807Z   GOOGLE_CLOUD_PROJECT: ***
2022-07-04T07:06:10.3573130Z   CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-07-04T07:06:10.3573422Z ##[endgroup]
2022-07-04T07:06:10.4538368Z Extracted project ID "***" from $GCLOUD_PROJECT
2022-07-04T07:06:10.6945922Z Successfully created and exported "KUBECONFIG" at /home/runner/work/keptn/keptn/918a154edea587e9bc09f34b
2022-07-04T07:06:10.6991251Z ##[debug]Node Action run completed with exit code 0
2022-07-04T07:06:10.6992590Z ##[debug]KUBECONFIG='/home/runner/work/keptn/keptn/918a154edea587e9bc09f34b'
2022-07-04T07:06:10.6993606Z ##[debug]Finishing: Get Kubeconfig

Additional information

No response

[sethvargo]

Hi @mowies

Thank you for opening an issue. I see there's some confusion about the auth action. I've opened google-github-actions/auth#204 to clarify that the "access_token_" and "id_token_" fields only apply to access tokens and ID tokens generated by the auth action; they do not extend to future actions.

Can you try setting use_auth_provider: true in your get-gke-credentials YAML instead? I believe that will handle token refreshes automatically.

[mowies]

@sethvargo
Since my previous setup didn't work, I reverted back to using use_auth_provier: true and that does work, but then I get warnings like this:

W0706 03:25:14.141926    1916 gcp.go:120] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

And that's exactly what I wanted to prevent in the first place.

[sethvargo]

@bharathkkb thoughts?

[mowies]

@sethvargo @bharathkkb any updates on this?

[sethvargo]

Hi @mowies - sorry for the delay. Extending the token lifetime would require switching from the standard oauth2 endpoints to the iamcredentials endpoints. That is an easy fix, but doing so would require users to grant additional IAM roles such as ServiceAccountTokenCreator to their service account. The default token extension is not available from the standard oauth2 access points.

In addition to the permissions, the iamcredentials endpoint requires us to know the email address of the authenticated service account, which may not always be known. This is actually one of the reasons that the "auth" action requires a service_account_email input.

There's two options here:

1. Generate an extended access token from "auth" and update the KUBECONFIG
2. Use the GCP Kubernetes auth plugin which will refresh credentials automatically