Issue with Google Drive API Authentication using GitHub Actions

I created my workload identity pool according to the Google GitHub Actions Auth documentation without any service account. Then I tried to connect to Google Drive, which requires an OAuth 2.0 access token. I used the following configuration:

- name: Authenticate with Google Cloud
    uses: 'google-github-actions/auth@v2'
    with:
        project_id: 'my-project'
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'

- name: Upload files to Google Drive
    uses: 'Burak-Atak/drive-upload@master'
    with:
      google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
      files_to_create: "app.spec"
      drive_folder_id: "242fgdfg345345"
      files_to_update: "requirements.txt"
      file_ids_to_update: "asdas3534fdgg"

However, I got the following error with below code:

def authenticate_google(self):
    credentials, project_id = load_credentials_from_file(
        os.environ["GOOGLE_APPLICATION_CREDENTIALS"],
        scopes=[
            'https://www.googleapis.com/auth/drive.file',
            'https://www.googleapis.com/auth/drive',
            'https://www.googleapis.com/auth/drive.metadata'
        ]
    )

    return build("drive", "v3", credentials=credentials)

googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/upload/drive/v3/files?fields=id&alt=json&uploadType=multipart returned "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.". Details: "[{'message': 'Invalid Credentials', 'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}]">

I realized I should use OAuth 2.0 for the Google Drive API. Then I changed my configuration to this:

- name: Authenticate with Google Cloud
  uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
    project_id: '<PROJECT_ID>'
    service_account: '<PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com'
    token_format: 'access_token'
    access_token_lifetime: '60s'
    access_token_scopes: 'https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.metadata'

- name: Upload files to Google Drive
    uses: 'Burak-Atak/drive-upload@master'
    with:
      google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
      files_to_create: "app.spec"
      drive_folder_id: "242fgdfg345345"
      files_to_update: "requirements.txt"
      file_ids_to_update: "asdas3534fdgg"

After this change, I started to get the following error even though I have the Service Account Token Creator and Owner roles in my service account:

google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for <PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

Solution

I figured out that I should add a service account to my workload pool. Check the "Connected service accounts" part in the Google Cloud Console. If there is no connected service account, you should add one.