You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you have an existing/deployed function , and you change the service_account_email: setting in your GH Actions, the function will deploy as usual, but it will maintain whichever Service Account was already assigned to it rather than the one indicated in the GH Action code
Expected behavior
The function will be updated with the new service account
Observed behavior
Code, vars and secrets update as expected but the service account stays at however it was set before.
Action YAML
# This is from a public repo:# https://github.com/centrifuge/apps/blob/main/.github/actions/deploy-gfunction/action.ymlname: Deploy Gfunctiondescription: Deploy Apps repo function to Gcloud. Format env and secrets too.inputs:
app_name:
description: app name to deployrequired: trueartifact_name:
description: artifact to download and deployrequired: truedeploy_env:
description: env to deploy function torequired: falsecheckout_path:
description: Folder with repository coderequired: trueGWIP:
description: Google Workflow Identity providerrequired: trueGSA:
description: Google Service Accountrequired: trueservice_account:
description: Gcloud SA for the functionrequired: falsetarget:
description: "Gfunction target handler"required: truedefault: handlergcloud_region:
description: "Google Cloud region to use"required: falsedefault: europe-central2 runs:
using: compositesteps:
# This is probably redundant but in case this action # needs to be used in isolation, it won't work# unless the repo is checked out somewhere first
- name: Checkoutuses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0with:
path: apps # The next 3 steps use this folder
- name: prepare env logicid: prepareuses: "./apps/.github/actions/prepare-deploy"with:
app_base_name: ${{ inputs.app_name }}deploy_to: ${{ inputs.deploy_env }}
- name: set env vars for Gfunction deployshell: bashid: set_envenv:
vars_file: ./apps/${{ inputs.app_name }}/env-vars/${{ steps.prepare.outputs.env_name }}.env run: | if [ -f ${{ env.vars_file }} ]; then VARS_COMMA=$(cat ${{ env.vars_file }} | paste -s -d, -) echo "function_vars=$VARS_COMMA" >> $GITHUB_OUTPUT else echo "No function env file ${{ env.vars_file }}, continuing..." fi
- name: Function env secretsshell: bashid: set_secretsenv:
secrets_file: ./apps/${{ inputs.app_name }}/env-vars/${{ steps.prepare.outputs.env_name }}.secrets run: | if [ -f ${{ env.secrets_file }} ]; then FILE=${{ env.secrets_file }} delimiter="$(openssl rand -hex 8)" # Add a new line at the end if not already there: sed -i -e '$a\' $FILE echo "function_secrets<<${delimiter}" >> $GITHUB_OUTPUT cat $FILE >> $GITHUB_OUTPUT echo "${delimiter}" >> $GITHUB_OUTPUT else echo "No secrets file in ${{ env.secrets_file }}, continuing..." fi
- name: retrieve artifactsid: downloaduses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # @v3.0.2with:
name: ${{ inputs.artifact_name || inputs.app_name }} # This will work only if we're matching the same string as# the upload step, which happens outside of this action file# by convention I use the app_name everywherepath: functions## Every module from here on could potentially expose the Gcloud Auth Token## Do not add untrusted code with `uses`## Ideally run only google-github-actions code with commit SHA at the end from here on## or `run` commands that we write.
- name: Auth gcloudid: gauthuses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # @v1with:
workload_identity_provider: ${{ inputs.GWIP }}service_account: ${{ inputs.GSA }}
- name: Deploy to google functionsid: gclouddeployuses: google-github-actions/deploy-cloud-functions@14509ca55199d9348161571e36c48e44f855030d #@v1with:
name: '${{ steps.prepare.outputs.function_name }}'runtime: 'nodejs16'region: '${{ inputs.gcloud_region }}'source_dir: '${{ steps.download.outputs.download-path }}'entry_point: '${{ inputs.target }}'secret_environment_variables: ${{ steps.set_secrets.outputs.function_secrets }}env_vars: ${{ steps.set_env.outputs.function_vars }}service_account_email: ${{ inputs.service_account }}max_instances: ${{ contains(steps.prepare.outputs.function_name, 'production') && '200' || '10' }}
- name: Print Gcloud functions URLshell: shif: ${{ github.event_name == 'pull_request'}}run: echo "::notice title=Function_URL::${{ steps.gclouddeploy.outputs.url }}"
- name: Set up Cloud SDKuses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce # v1.0.1
- name: Change function to allow_unathorized calls shell: shrun: | gcloud functions add-iam-policy-binding ${{ steps.prepare.outputs.function_name }} \ --region=${{ inputs.gcloud_region }} \ --member="allUsers" --role="roles/cloudfunctions.invoker"
It's easy to test. Create a function or change your Service account in the function deployed by this Action, then run the action with a different SA, see how it won't change.
In contrast, using gcloud function deploy MY_FUNCTION_NAME --service-account my-account@MY_PROJECT.iam.gserviceaccount.com --source ./dist for an existing function updates the SA just fine.
The text was updated successfully, but these errors were encountered:
TL;DR
If you have an existing/deployed function , and you change the
service_account_email:
setting in your GH Actions, the function will deploy as usual, but it will maintain whichever Service Account was already assigned to it rather than the one indicated in the GH Action codeExpected behavior
The function will be updated with the new service account
Observed behavior
Code, vars and secrets update as expected but the service account stays at however it was set before.
Action YAML
Log output
Additional information
It's easy to test. Create a function or change your Service account in the function deployed by this Action, then run the action with a different SA, see how it won't change.
In contrast, using
gcloud function deploy MY_FUNCTION_NAME --service-account my-account@MY_PROJECT.iam.gserviceaccount.com --source ./dist
for an existing function updates the SA just fine.The text was updated successfully, but these errors were encountered: