Google Maps (routing) not playing nicely with WIF

[emigre459]

TL;DR

When using other GCP services (e.g. BigQuery, CloudStorage, etc.), I can use WIF with no service account in GH runners without issue. Trying to do the same approach with Google Maps Routing v2 keeps failing with a scoping error I cannot resolve.

Expected behavior

The error mentioned in the TLDR; is:

google.api_core.exceptions.ServiceUnavailable: 503 Getting metadata from plugin failed with error: ('Error code invalid_request: Scope(s) must be provided.', '{"error":"invalid_request","error_description":"Scope(s) must be provided."}')

I have not been able to find any maps-specific scopes that make sense nor have I been able to find Maps roles to add to my WIF pool to enable usage with that API as described in #454 (even adding mapsadmin.admin role did not solve anything). Is it possible that WIF (without a service account at least) does not play nicely with GMaps APIs currently and an API key approach is the only solve for now?

Observed behavior

No response

Action YAML

name: package_testing
on:
    push:
        branches:
            - main
    pull_request:

env:
    GMAPS_API_KEY: ${{ secrets.GMAPS_API_KEY }}
    GCP_ORG_ID: ${{ secrets.GCP_ORG_ID }}
    GCP_REGION: ${{ vars.GCP_REGION }}
    NREL_API_KEY: ${{ secrets.NREL_API_KEY }}
    ORS_API_KEY: ${{ secrets.ORS_API_KEY }}
    PROXY_URI_REQUESTS: ${{ secrets.PROXY_URI_REQUESTS }}

jobs:
    fail_fast_maps:
        permissions:
            contents: read
            id-token: write
        runs-on: ubuntu-latest
        steps:
            - name: Checkout actions
              uses: actions/checkout@v4
            - id: gcp_auth
              name: GCP authentication
              uses: google-github-actions/auth@v2
              with:
                project_id: ${{ vars.GCP_PROJECT_ID }}
                workload_identity_provider: projects/${{ vars.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github/providers/my-repo

            - id: 'gcloud'
              name: 'Set up Cloud SDK'
              uses: 'google-github-actions/setup-gcloud@v2'
            - name: 'Use gcloud CLI'
              run: 'gcloud info'
            - name: Setup python
              id: setup-python
              uses: actions/setup-python@v5
              with:
                python-version: ${{ vars.PYTHON_VERSION }}
            - name: Install poetry
              run: |
                curl -sSL https://install.python-poetry.org | python3 -
            - name: Make the environment
              run: make env_create
            - name: Run tests
              run: poetry run pytest -n auto -v tests/test_maps.py

Log output

google.api_core.exceptions.ServiceUnavailable: 503 Getting metadata from plugin failed with error: ('Error code invalid_request: Scope(s) must be provided.', '{"error":"invalid_request","error_description":"Scope(s) must be provided."}')

Additional information

No response

[github-actions]

Hi there @emigre459 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi there - could you please provide the debug output for the complete GitHub Actions workflow run? How are you passing an authentication to the Maps API calls?

[emigre459]

Happy to! Is this what you were thinking?

logs_33280886509.zip

[sethvargo]

I think those are the runner diagnostics. I need the step debugs (sorry). You have to set a secret or variable to ACTIONS_STEP_DEBUG to true and run the workflow.

Without the debug logs, my best guess is that the Google Maps API does not support authentication with a federated token.

[emigre459]

Let's try that again!

logs_33280886509_steps.zip

[sethvargo]

Thanks @emigre459. I'm not a python expert, but I think you need to pass in the oauth scopes when you create the credential in your python client. Something like

SCOPES = ['https://www.googleapis.com/auth/cloud-platform']
credentials, project = google.auth.default(scopes=SCOPES)

It looks like all the routing APIs using the "cloud-platform" scope, which is what we request in the federated token.

[emigre459]

I tried that actually and it didn't work for some odd reason. I was under the impression that google.auth.default() automatically is using the cloud-platform scope, but when I provided scopes like that I got the error below. I'm attaching step-level debugging logs from the run in which scopes are provided here for reference. The link it recommends checking out goes to a 404 page sadly and I'm not sure how I'm supposed to be passing more tokens over (wasn't aware I needed to do token management for this approach at all).

FAILED tests/test_amenities_pull.py::test_amenities_search - google.api_core.exceptions.Unauthenticated: 401 Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

logs_33283107667.zip

[sethvargo]

Hi @emigre459 - I'm not really sure how to help debug this. It doesn't seem like the Google Maps API client is properly honoring the Workload Identity credential type. You might try opening an issue on the Google Maps Python API client to see if they can help. Unfortunately I'm not an expert in Python or that client - this action sets up the "credential file" in the proper format that all Google Cloud client libraries are supposed to honor.