gsutil isn't authenticated

[pvanderlinden]

TL;DR

gsutil isn't authenticated even though the docs mention it is possible

Expected behavior

gsutil is authenticated

Observed behavior

I get the error "401 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket."

Action YAML

name: Docs build & upload

on:
  push:
    branches:
      - main

env:
  GCS_DEST: gs://...

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.11"]
    steps:
      - uses: actions/checkout@v4
      - name: "google cloud auth"
        uses: "google-github-actions/auth@v2"
        with:
          credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"
      - name: publish
        if: ${{ github.ref == 'refs/heads/main' }}
        run: |
          gsutil -m rsync -x 'compiled/.*$|.*\.msgpack$' -R -r target  ${{ env.GCS_DEST }}

Log output

No response

Additional information

No response

[github-actions]

Hi there @pvanderlinden 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @pvanderlinden - I'm not seeing where you're using gsutil in your example, did you mean gcloud? You need to use google-github-actions/setup-gcloud@v2 to install and configure gcloud.

[pvanderlinden]

Hi @pvanderlinden - I'm not seeing where you're using gsutil in your example, did you mean gcloud? You need to use google-github-actions/setup-gcloud@v2 to install and configure gcloud.

Sorry, apparently I posted the version with the work around: using gcloud storage instead of gsutil works. I adjusted the example, as I tried it originally. gcloud and gsutil already are pre installed on the github actions image. Is gcloud storage going to replace gsutil? If so, it might be good to mention in the docs someone should use gcloud storage instead of gsutil as the second doesn't work (while it currently says it does).

[sethvargo]

Hi @pvanderlinden, as noted in the README prerequisites, you must use gcloud/gsutil version 390.0.0 or later. We don't control which version of gcloud/gsutil is pre-installed on the GitHub Actions managed runners, and it may be older than the supported version.

[pvanderlinden]

According to the documentation it's uptodate enough. https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#cli-tools

I was going to double check, but github has some issues at the moment, and the workflow doesn't run.

[pvanderlinden]

Hi @pvanderlinden, as noted in the README prerequisites, you must use gcloud/gsutil version 390.0.0 or later. We don't control which version of gcloud/gsutil is pre-installed on the GitHub Actions managed runners, and it may be older than the supported version.

I just double checked. This is the result of running the command in a github actions workflow:

> gcloud --version
  
Google Cloud SDK 469.0.0
alpha 2024.03.15
beta 2024.03.15
bq 2.1.1
bundled-python3-unix 3.11.8
core 2024.03.15
gcloud-crc32c 1.0.0
gsutil 5.27

[sethvargo]

You still need actions/setup-gcloud (you can set install: false to bypass installation), because something has to run gcloud auth login...

[pvanderlinden]

You still need actions/setup-gcloud (you can set install: false to bypass installation), because something has to run gcloud auth login...

Isn't this what the "auth" action is supposed to do? It authenticates gcloud utilities (except gsutil/bq apparently)

      - name: "google cloud auth"
        uses: "google-github-actions/auth@v2"
        with:
          credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}"

[sethvargo]

The auth action creates credentials files and exports environment variables. Unfortunately gcloud (and gsutil and bq) do not read any environment variables to source their authentication. auth can't run the commands to authenticate those tools because it doesn't install them on the system (and can't guarantee they are installed (e.g. self-hosted runners)).

[pvanderlinden]

The auth action creates credentials files and exports environment variables. Unfortunately gcloud (and gsutil and bq) do not read any environment variables to source their authentication. auth can't run the commands to authenticate those tools because it doesn't install them on the system (and can't guarantee they are installed (e.g. self-hosted runners)).

Thanks. This explains the issue. However, the current auth action actually authenticates the cli tool gcloud (as otherwise my work around wouldn't work) , but not gsutil and bq. This makes this action confusing, especially with the documentation saying "To use the bq or gsutil tools, use the Google Cloud SDK version 390.0.0 or newer.". I think it would enhance the documentation by a lot if it is actually mentioned in the documentation you need the setup actions as well to use these tools.

[sethvargo]

auth does not authenticate gcloud. setup-gcloud authenticates gcloud with the credentials from auth.

[sethvargo]

Hi @pvanderlinden does that answer your question?

[pvanderlinden]

Sorry @sethvargo I got a bit sidetracked on this issue. It does answer my question.

However, I think the behavior is not really clear in the documentation:

• auth sounds like it would authenticate gcloud, and it's related tools. Not that you need an extra step for this
• it even mentions it should now work for newer versions of bq/gsutil
• it doesn't mention anywhere that you need the setup-gcloud for the actual authentication
• to add to the confusion, it usually works for any other gcloud commands, without setup-gcloud

[sethvargo]

auth sets up the environment, specifically Application Default Credentials. If tools honor those, they are used. Otherwise, special authentication steps are needed.

[pvanderlinden]

auth sets up the environment, specifically Application Default Credentials. If tools honor those, they are used. Otherwise, special authentication steps are needed.

I do understand that after the explanation in this ticket. But as I explained, the docs aren't clear about this, especially by mentioning that bq/gsutil should work with never versions.

[Ben-Epstein]

Hi @sethvargo I'm running into the same issue as @pvanderlinden, and i agree the docs aren't clear on how to get gsutil working. I used gcloud storage and it worked, but that has limitations which should probably be noted

[sethvargo]

@Ben-Epstein - can you run gsutil --version, gcloud --version, which gcloud, and which gsutil and share the output please? If gcloud is working and gsutil is not, then that means the binaries might be pointing to different installations.

[Ben-Epstein]

@sethvargo Here you go

gsutil version: 5.30
/usr/bin/gsutil
Google Cloud SDK 487.0.0 alpha 2024.08.06 beta 2024.08.06 bq 2.1.7 bundled-python3-unix 3.11.9 core 2024.08.06 gcloud-crc32c 1.0.0 gsutil 5.30
/usr/bin/gcloud

And this is essentially my entire workflow

      - uses: actions/checkout@v4
      - name: setup gcloud
        uses: 'google-github-actions/auth@v2'
        with:
          project_id: '<REDACTED>'
          workload_identity_provider: '<REDACTED>'

      - name: get versions
        run: |
          echo $(gsutil --version)
          echo $(which gsutil)
          echo $(gcloud --version)
          echo $(which gcloud)

[sethvargo]

Hmm that's so weird because I'm running the exact same version of gsutil locally and it seems to respect GOOGLE_APPLICATION_CREDENTIALS. Let me dig in more.

[sethvargo]

Hey folks - I heard back to the engineering team, and they confirmed that gsutil does not respect this credential method. Per the public Google Cloud documentation, the recommended path is to use gcloud storage instead.