Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is this Workload Identity Pool not being created?

I can't see why my declaration for my Workload Identity Federation resource cannot be created.

The error I am getting says, that I have to reference on of the provider's claims:

╷
│ Error: Error creating WorkloadIdentityPoolProvider: googleapi: Error 400: The attribute condition must reference one of the provider's claims. For more information, see https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#conditions
│ 
│   with google_iam_workload_identity_pool_provider.github_provider,
│   on github-actions-sa.tf line 14, in resource "google_iam_workload_identity_pool_provider" "github_provider":
│   14: resource "google_iam_workload_identity_pool_provider" "github_provider" ***
│ 
╵

From what I can see in the docs, the claims repository and repository_owner should exist. According to this post, the repository_owner is even mandatory.

As you can see, I am referencing these in the attribute_mapping.

resource "google_iam_workload_identity_pool_provider" "github_provider" {
  project                            = var.project_id
  display_name                       = "GitHub Provider"
  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-provider"
  provider                           = google
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }

  attribute_mapping = {
    "google.subject"             = "assertion.sub"
    "attribute.repository"       = "assertion.repository"
    "attribute.repository_owner" = "assertion.repository_owner"
  }
}

resource "google_service_account_iam_binding" "allow_github" {

  service_account_id = google_service_account.service_account.id
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions_pool.name}/attribute.repository/${var.github_organisation}/my-project",
    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions_pool.name}/attribute.repository_owner/${var.github_organisation}"
  ]
}
like image 371
Stefan Falk Avatar asked Oct 19 '25 02:10

Stefan Falk


1 Answers

It turns out, that there is another attribute_condition field. As the error states, "attribute condition must reference one of the provider's claims".

resource "google_iam_workload_identity_pool_provider" "github_provider" {
  project                            = var.project_id
  display_name                       = "GitHub Provider"
  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-provider"
  provider                           = google
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }

  attribute_mapping = {
    "google.subject"             = "assertion.sub"
    "attribute.repository"       = "assertion.repository"
    "attribute.repository_owner" = "assertion.repository_owner"
  }
 
  // The missing attribute condition in common expression langauge:
  attribute_condition = "attribute.repository == assertion.repository && attribute.repository_owner == assertion.repository_owner"
}

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#example-usage---iam-workload-identity-pool-provider-github-actions

like image 66
Stefan Falk Avatar answered Oct 22 '25 03:10

Stefan Falk