google-github-actions/auth failed with did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL

Question

In github actions I'm running an action that is trying to use github to GCP federated id:

     # see https://github.com/marketplace/actions/authenticate-to-google-cloud#setup
  - id: 'auth'
    name: 'Authenticate to Google Cloud'
    uses: 'google-github-actions/auth@v0'
    with:
      workload_identity_provider: 'projects/1234/locations/global/workloadIdentityPools/my-github-pool/providers/my-github-oidc-provider'
      service_account: '[email protected]'

I'm getting:

Run google-github-actions/auth@v0

Error: google-github-actions/auth failed with: retry function failed after 1 attempt: 
gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or 
$ACTIONS_ID_TOKEN_REQUEST_URL into this job. 
This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. 
For more information, please see https://docs.github.com/en/actions/security-guides/automatic- 
token-authentication#permissions-for-the-github_token

I'm looking at the referenced doc but I'm not seeing anything useful.

How to I get GH to inject those values?

Answer 1

I needed to add:

jobs:
   my_job:
   # Need to add these 3 lines to add "id-token" with the intended permissions.
   permissions:
     contents: 'read'
     id-token: 'write'

This is documented here: https://github.com/google-github-actions/auth#usage

Answer 2

For me, what I missing are

1. Ensure the value for workload_identity_provider is the full Provider name, not the Pool name:

- projects/NUMBER/locations/global/workloadIdentityPools/POOL
+ projects/NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER

2. Need to have permission

permissions:
     contents: 'read'
     id-token: 'write'

Check out this https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md