README incorrect?

[techieshark]

Reading this part of the README:

5. As needed, allow authentications from the Workload Identity Pool to Google Cloud resources. These can be any Google Cloud resources that support federated ID tokens, and it can be done after the GitHub Action is configured.

The following example shows granting access from a GitHub Action in a specific repository a secret in Google Secret Manager.

# TODO: replace ${PROJECT_ID}, ${WORKLOAD_IDENTITY_POOL_ID}, and ${REPO}
# with your values below.
#
# ${REPO} is the full repo name including the parent GitHub organization,
# such as "my-org/my-repo".
#
# ${WORKLOAD_IDENTITY_POOL_ID} is the full pool id, such as
# "projects/123456789/locations/global/workloadIdentityPools/github".

gcloud secrets add-iam-policy-binding "my-secret" \
  --project="${PROJECT_ID}" \
  --role="roles/secretmanager.secretAccessor" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"

I would have assumed I could use the similar --member example and it would work.

However, when I modify the command to try allowing deployments to google cloud functions:

 gcloud projects add-iam-policy-binding our-project-name --role=roles/cloudfunctions.developer --member=principalSet://iam.googleapis.com/my-pool/attribute.repository/my-github-user/my-repo-name

I get this error:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: The member principalSet://iam.googleapis.com/my-pool/attribute.repository/my-github-user/my-repo-name is of an unknown type. Please set a valid type prefix for the member.

I had no idea what "...is of an unknown type" meant, but I googled it and landed on

hashicorp/terraform-provider-google#12446 (comment)

which suggests to me that the example in this README is not working.

I switch the command to as follows and I don't get the error:

gcloud projects add-iam-policy-binding "$PROJECT_NUMBER" \
  --role="roles/cloudfunctions.developer" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"

(Note PROJECT_NUMBER is the numeric project number, found by navigating to project settings from top right of google cloud)

[github-actions]

Hi there @techieshark 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @techieshark - ${WORKLOAD_IDENTITY_POOL_ID} is the full resource ID for the identity pool like projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider, so the identity would be something like:

principalSet://iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider