[RESOLVED] failed to call https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxxxxxxxxxxx.iam.gserviceaccount.com:generateAccessToken: HTTP 404: [no body]

[ElijahLynn]

Adding for search engines:

Run google-github-actions/auth@v2
Created credentials file at "/home/runner/_work/xxxxxx/xxxxx/gha-creds-12345678.json"
Error: google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for xxxxxxxxxxxxxxx@xxxxxxxx.iam.gserviceaccount.com: failed to call https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/xxxxxxxxxxxx.iam.gserviceaccount.com:generateAccessToken: HTTP 404: [no body]

This was because I had specified an incorrect service account email:

      - name: authenticate to GCP with with workload identity
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: 'projects/1234567/locations/global/workloadIdentityPools/xxxxxxxxx/providers/xxxxxxxxxxx'
          service_account: 'xxxxxxxxxxxxxxx@xxxxxxxx.iam.gserviceaccount.com' # this was incorrect

[github-actions]

Hi there @ElijahLynn 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[ElijahLynn]

also this message was because of incorrect provider and service account names as well. If you are using a matrix strategy for different envs then you could end up not having the right project ID, pool name, pool provider or SA email.

Created credentials file at "/home/runner/_work/xxxxxxxx/xxxxxxx/gha-creds-123456.json"
Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/xxxxxxxxx/providers/xxxxxxxx: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}

[ElijahLynn]

gonna throw this matrix strategy code in here too:

jobs:
  job-name
    env:
      AUTH_WORKLOAD_IDENTITY_PROVIDER: ""
      AUTH_SERVICE_ACCOUNT: ""
    permissions:
      contents: 'read'
      id-token: 'write'
  strategy:
      matrix:
        include:
          - environment: 'example1'
          - environment: 'example2'
...


      - name: assign dynamic workload identity provider and service account per environment
        run: |
          if [ "${{ matrix.environment }}" = "example1" ]; then
            echo "AUTH_WORKLOAD_IDENTITY_PROVIDER=projects/1234567/locations/global/workloadIdentityPools/xxxxxxxx/providers/xxxxxx" >> $GITHUB_ENV
            echo "AUTH_SERVICE_ACCOUNT=xxxxxxxxxx@xxxxxxx.iam.gserviceaccount.com" >> $GITHUB_ENV
          elif [ "${{ matrix.environment }}" = "example2" ]; then
            echo "AUTH_WORKLOAD_IDENTITY_PROVIDER=projects/1234567/locations/global/workloadIdentityPools/xxxxxxxx/providers/xxxxxx" >> $GITHUB_ENV
            echo "AUTH_SERVICE_ACCOUNT=xxxxxxxxxx@xxxxxxx.iam.gserviceaccount.com" >> $GITHUB_ENV
          fi

      - name: authenticate to gcp with workload identity
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ env.AUTH_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ env.AUTH_SERVICE_ACCOUNT }}