Status Update
Comments
ba...@google.com <ba...@google.com> #2
Hello,
Thanks for reaching out to us!
The Feature Request has been created and the Product Engineering Team is working on this request. At this moment, there is no ETA to this request. Thank you for your trust and continued support to improve Google Cloud Platform products.
In case you want to report a new issue, please do not hesitate to create a new Issue Tracker thread describing your issue.
a....@accenture.com <a....@accenture.com> #3
er...@au.pwc.com <er...@au.pwc.com> #4
Especially relevant in the compute zones with longer names, e.g. australia-southeast1-a
e.g.
leaves 40 characters for PROJECT_ID + INSTANCE_ID (36 in the case of Dataproc generated GCE instances)
be...@google.com <be...@google.com> #5
br...@google.com <br...@google.com> #6
Link to GitHub public doc for this know issue
"This is a limit imposed by Google Cloud IAM. We have no control over this value. It is documented here. Please file feedback with the Google Cloud IAM team. The only mitigation is to use shorter repo names or shorter branch names."
br...@google.com <br...@google.com> #7
Same issue with GitLab as subject is made project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} as documented on this
When using automated branch creation from issues, he branch name is long as aligned to the issue name that is ussually a sentence, leading to face this limit very often.
Example 137 bytes: project_path:ram/convertfeed:ref_type:branch:ref:11-drop-eventarc-format-to-manage-pubsub-metadata-so-that-it-ease-subscription-filtering
br...@google.com <br...@google.com> #8
Specific work arround:
When the IAM binding is not relying on the branch name, you may customize the OIDC pool provider google.subject
attribute mapping to a value that is shorter than the gitlab assertion.sub using a
resource "google_iam_workload_identity_pool_provider" "gitlab-provider-jwt" {
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.gitlab-pool.workload_identity_pool_id
workload_identity_pool_provider_id = "gitlab-jwt-${random_id.random.hex}"
attribute_mapping = {
# google subject can be referenced in IAM bindigns and cannot exceed 127 bytes
# GitLab subject is project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}
# When branch name are auto made from issue name they are long leading to subject > 127 bytes -> error
"google.subject" = "\"project_path:\"+assertion.namespace_path+\"/\"+assertion.project_path", # Required
"attribute.aud" = "assertion.aud",
"attribute.project_path" = "assertion.project_path",
"attribute.project_id" = "assertion.project_id",
"attribute.namespace_id" = "assertion.namespace_id",
"attribute.namespace_path" = "assertion.namespace_path",
"attribute.user_email" = "assertion.user_email",
"attribute.ref" = "assertion.ref",
"attribute.ref_type" = "assertion.ref_type",
}
oidc {
issuer_uri = var.gitlab_url
allowed_audiences = [var.gitlab_url]
}
}
resource "google_service_account_iam_binding" "gitlab-oidc-workload-identity-user-on-build-sa" {
service_account_id = google_service_account.build_sa.name
role = "roles/iam.workloadIdentityUser"
members = [
"principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.gitlab-pool.name}/attribute.namespace_id/${var.gitlab_namespace_id}",
# see https://cloud.google.com/iam/docs/principal-identifiers
]
}
It fixes the issue in my use case. HTH
ad...@cohere.com <ad...@cohere.com> #9
hello
i am experiencing a similar error, slightly different issue:
google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/X/locations/global/workloadIdentityPools/<pool>/providers/<pool>:
{"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
TLDR; its a :github: workflow with WLID to accept calls from respective repo's (attribute_condition
) to OIDC auth with Google .. attribute.repository in [
.. etc
it doesn't happen for other repo's so it looks to be isolated to this repo's name, i tried researching but no dice on anything
my terraform
looks like:
module "<pool>" {
source = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
version = "3.1.2"
project_id = var.project_id
pool_id = "<pool>"
provider_id = "<pool>"
attribute_condition = "attribute.repository in ['<org>/a', '<org>/b', '<org>/c', '<org>/d', '<org>/e', '<org>/longstring', '<org>/f', '<org>/g', '<org>/h']"
i am unable to rename the repo, do you have any idea's here?
be...@google.com <be...@google.com>
mb...@fireblocks.com <mb...@fireblocks.com> #10
"An exception of type OAuthError occurred while uploading file /app/my_hello_world.txt to bucket meital-testing-checkpoint-bucket (dest_filename='/app/my_hello_world.txt'), err=OAuthError('Error code invalid_request: The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes.', '{"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}')."
fr...@optelgroup.com <fr...@optelgroup.com> #11
da...@gmail.com <da...@gmail.com> #12
b2...@googlemail.com <b2...@googlemail.com> #13
si...@google.com <si...@google.com> #14
ya...@gmail.com <ya...@gmail.com> #15
This occurred to me with GitLab, the interim solution that i did was to provide a group Id as the attribute.namespace_id and also shorten my branch names for any merge request. Hopefully this gets fixed soon.
Description
The current limit of 127 characters to provide the principal for google.subject using an arn generated on the AWS side of things - there is a possibility that ARN is too long.
When the ARN is longer than 127 bytes, they have received below error message.
================
"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."
================
What you expected to happen:
We should possibly be able to accommodate the AWS ARN length.
Other information (workarounds you have tried, documentation consulted, etc):