Authentication Failure for GitHub Action workflow with error to specify exactly one of "workload_identity_provider" or "credentials_json"

[Abhimanyu7991]

TL;DR

ERROR MESSAGE
google-github-actions/auth failed with: the GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json"! If you are specifying input values via GitHub secrets, ensure the secret is being injected into the environment. By default, secrets are not passed to workflows triggered from forks, including Dependabot.

Expected behavior

The workflow runs successfully to authenticate based on the selected environment based on the branch and authenticates to Google cloud.

Observed behavior

The workflow runs for the particular workflow are not authenticating even though it selects the right environment and fetches the secrets.

The authentication steps works well for other workflows in the dev branch when triggering dev environment.

Action YAML

jobs:
    set-environment:
        name: "Set Environment"
        runs-on: ubuntu-latest
        outputs:
            env_name: ${{ steps.set-env.outputs.env_name }}
            file_name: ${{ steps.set-env.outputs.deployment_file }}
        steps:
        - name: Branch to Environment
          id: set-env
          run: |
            echo "Running on branch ${{ github.ref_name }}"
            BRANCH="${{ github.ref_name }}"
            if [ "$BRANCH" = "main" ]; then
                echo "env_name=production-organization" >> $GITHUB_OUTPUT
                echo "deployment_file=prod-org-deployment.tfvars" >> $GITHUB_OUTPUT
            elif [ "$BRANCH" = "dev" ]; then
                echo "env_name=development-organization" >> $ GITHUB_OUTPUT
                echo "deployment_file=dev-org-deployment.tfvars" >> $GITHUB_OUTPUT
            else
                echo "env_name=development-organization" >> $GITHUB_OUTPUT
                echo "deployment_file=dev-org-deployment.tfvars" >> $GITHUB_OUTPUT
            fi
    deploy-core-projects:
        name: 'Terraform Deployment - Folder Hierarchical Structure'
        runs-on: ubuntu-latest
        needs: set-environment
        environment: ${{needs.set-environment.outputs.env_name}}
        strategy:
          matrix:
            folder_name: [ "network-dev", "network-prod", "cloud-finops", "management", "shared-services" ]
        steps:
        - name: Set current date as env variable
          run: echo "NOW=$(date +'%Y-%m-%dT%H_%M_%S')" >> $GITHUB_ENV

        - name: Checkout
          uses: actions/checkout@v4
        
        - id: 'auth'
          name: 'Authenticate to Google Cloud'
          uses: 'google-github-actions/auth@v2'
          with:
            project_id: '${{ secrets.PROJECT_ID }}'
            workload_identity_provider: '${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}'

Log output

Additional information

The workflow is running successfully from the main branch for production environment but is failing from dev branch for development environment. See the last 4 runs below

I also updated the secrets assuming something else was wrong but the behaviour is still the same.

[github-actions]

Hi there @Abhimanyu7991 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @Abhimanyu7991 - this is not a bug in google-github-actions/auth. ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} is not being set for some reason, most likely because of an environment name mismatch. We get the serialized YAML, and as you can see in the output, it's resolving to the empty string.

Given it works for main but not for dev, that likely means you've created an environment-specific secret instead of a global one.