TechQA.

GitHub Actions, Terraform, and GCP: Github Runner permissions and service account integration issues

127 views Asked by At

I working on automating CI/CD pipeline using GitHub Actions. I have already set up Terraform that deploys the infrastructure on GCP. GitHub Actions is authenticated to Google Cloud via the following actions:

    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v1'
      with:
        service_account: '[email protected]'

In the current stage, I want to use Terraform to create an inventory file for Ansible automatically. I prepared a template and want to create the inventory file using the local_file resource:

resource "local_file" "hosts_cfg" {
  content = templatefile("${path.module}/templates/hosts.tpl",
    {
      target_hosts = module.target_hosts.external_ips
    }
  )
  filename = "/etc/ansible/hosts"
}

The problem is, when I execute the terraform apply command using GitHub Actions, I receive the following error:

│ Error: Create local file error
│ 
│   with local_file.hosts_cfg,
│   on main.tf line 183, in resource "local_file" "hosts_cfg":
│  183: resource "local_file" "hosts_cfg" {
│ 
│ An unexpected error occurred while writing the file
│ 
│ +Original Error: open /etc/ansible/hosts: permission denied
╵
Error: Process completed with exit code 1.

So it seems that the GitHub Runner is not allowed to create files and folders in locations that require elevated privileges.

On the other hand, when I run the action with sudo terraform apply, I got the following error message:

╷
│ Error: storage.NewClient() failed: dialing: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
│ 
│ 
╵
Error: Process completed with exit code 1.

What I don't understand is:

  1. If I use the google-github-actions/auth@v1 to authenticate, I bestow the same rights the service account has on the GitHub Runner, right? If it is so, why can't the GitHub Runner create a directory in /etc/?
  2. Does using sudo only give GitHub Runner the same rights as a service account? This is only partially true because I can't access the bucket where the state is stored. What baffles me is that the Runner can access the state without sudo and can't with it.
  3. What is the relationship between the GitHub Runner's privileges and the service account that is used to run Terraform commands
  4. What can be done to bestow the same right on the GitHub Runner as the service account has?
google-cloud-platform terraform github-actions terraform-provider-gcp github-actions-runners
Original Q&A
0

There are 0 answers

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in TERRAFORM

Related Questions in GITHUB-ACTIONS

Related Questions in TERRAFORM-PROVIDER-GCP

Related Questions in GITHUB-ACTIONS-RUNNERS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions