Unable to get access token even with `Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).` even with correct correct permissions gratned

[cadaniel]

TL;DR

Receiving Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist). even with

• Permissions Service Account Token Creator, Workload Identity User, and Service Account Admin
• workload_identity_provider is of the format projects/<Project Number>/locations/global/workloadIdentityPools/<pool>/providers/<provider>

Expected behavior

Successful Access Token Creation

Observed behavior

permission denied

Action YAML

deploy_docker_services.yaml

name: 'Build and Deploy Docker Microservices'
description: 'Build and Deploy Docker Microservices'
inputs:
  service:
    description: 'Which Service To Build'
    required: true
  run-service-name:
    description: 'Name of Service To Build'
    required: true
  docker_image:
    description: 'Docker image url'
    required: true
  project_id:
    description: 'The GCP Project ID'
    required: true
  workload_identity_provider:
    description: 'The GCP Credentials JSON'
    required: true
  service_account:
    description: 'The GCP Service Account'
    required: true
  artifact_url:
    description: 'The GCP Artifact URL'
    required: true
  gcp_region:
    description: 'The GCP Region'
    required: true

runs:
  using: "composite"
  steps:
    - name: 'GCP AUTH'
      id: auth
      uses: 'google-github-actions/auth@v3'
      with:
        token_format: 'access_token'
        project_id: ${{ inputs.project_id }}
        workload_identity_provider: ${{ inputs.workload_identity_provider }}
        service_account: ${{ inputs.service_account }}

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v3'
      with:
        version: '>= 363.0.0'

    - name: Login to Artifact Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.gcp_region }}-docker.pkg.dev
        username: oauth2accesstoken
        password: ${{ steps.auth.outputs.access_token }}

    - name: 'Build Docker Container'
      shell: bash
      run: |
        docker build -t ${{ inputs.docker_image }} -f ./${{ inputs.service }}/docker/cloud/Dockerfile .

    - name: 'Push Docker Container'
      shell: bash
      run: |
        docker push ${{ inputs.docker_image }}

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloudrun@v1'
      with:
        region: ${{ inputs.gcp_region }}
        service: ${{ inputs.run-service-name }}
        image: ${{ inputs.docker_image }}


on_deploy.yaml

name: 'Production CA Deploy Services'
on:
  workflow_call:
  workflow_dispatch:

jobs:
  send_starting_notification:
    name: 'Send Slack notification'
    runs-on: ubuntu-latest
    steps:
      - name: 'Slack Notification'
        if: always()
        uses: slackapi/slack-github-action@v1.24.0
        with:
          channel-id: 'backend-notifications'
          slack-message: "Github Deploy to Stg-CA starting....\n run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} \n ${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
  deploy_wave_service:
    permissions:
      id-token: write
      contents: read
    name: 'Deploy the Wave Service'
    runs-on: ubuntu-latest
    environment: Stg-CA
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: 'Checkout'
        uses: actions/checkout@v4

      - name: 'Deploy Wave Service'
        uses: ./.github/actions/deploy_docker_service
        with:
          service: wave_service
          docker_image: northamerica-northeast1-docker.pkg.dev/mynormative-prod/microservices/wave_service:latest
          project_id: ${{ secrets.GCP_PROJECT_ID }}
          workload_identity_provider: ${{ secrets.GCP_IDENTITY }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          artifact_url: ${{ secrets.ARTIFACT_URL }}
          run-service-name: wave-service
          gcp_region: ${{ secrets.GCP_REGION }}

      - name: "Migrate Service Database"
        uses: ./.github/actions/migrate_database
        with:
          service: wave_service
          project_id: ${{ secrets.GCP_PROJECT_ID }}
          workload_identity_provider: ${{ secrets.GCP_IDENTITY }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          database_instance: ${{ secrets.WAVE_DATABASE_INSTANCE }}
          database_conn_str: ${{ secrets.WAVE_DATABASE_CONN_STR }}
.... <repeates for several services>

Log output

2026-04-13T19:07:50.2309990Z ##[debug]Evaluating condition for step: 'Deploy Customer Portal Rest Controller Service'
2026-04-13T19:07:50.2315895Z ##[debug]Evaluating: success()
2026-04-13T19:07:50.2317331Z ##[debug]Evaluating success:
2026-04-13T19:07:50.2318833Z ##[debug]=> true
2026-04-13T19:07:50.2320189Z ##[debug]Result: true
2026-04-13T19:07:50.2322355Z ##[debug]Starting: Deploy Customer Portal Rest Controller Service
2026-04-13T19:07:50.2569244Z Prepare all required actions
2026-04-13T19:07:50.2570496Z Getting action download info
2026-04-13T19:07:50.5357884Z Download action repository 'google-github-actions/auth@v3' (SHA:7c6bc770dae815cd3e89ee6cdf493a5fab2cc093)
2026-04-13T19:07:50.7052775Z ##[debug]Download 'https://api.github.com/repos/google-github-actions/auth/tarball/7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' to '/home/runner/work/_actions/_temp_0f7501f7-59dd-42b7-97b2-898467543be2/8b6ed362-18cd-4300-a900-b9254d1ae8f7.tar.gz'
2026-04-13T19:07:50.7279438Z ##[debug]Unwrap 'google-github-actions-auth-7c6bc77' to '/home/runner/work/_actions/google-github-actions/auth/v3'
2026-04-13T19:07:50.7338890Z ##[debug]Archive '/home/runner/work/_actions/_temp_0f7501f7-59dd-42b7-97b2-898467543be2/8b6ed362-18cd-4300-a900-b9254d1ae8f7.tar.gz' has been unzipped into '/home/runner/work/_actions/google-github-actions/auth/v3'.
2026-04-13T19:07:50.7364168Z Download action repository 'google-github-actions/setup-gcloud@v3' (SHA:aa5489c8933f4cc7a4f7d45035b3b1440c9c10db)
2026-04-13T19:07:50.8912762Z ##[debug]Download 'https://api.github.com/repos/google-github-actions/setup-gcloud/tarball/aa5489c8933f4cc7a4f7d45035b3b1440c9c10db' to '/home/runner/work/_actions/_temp_228ff634-3bab-425e-9013-1ff6ed0603ad/9fccdd66-c180-4501-8a93-bc28b6189a0d.tar.gz'
2026-04-13T19:07:50.9224851Z ##[debug]Unwrap 'google-github-actions-setup-gcloud-aa5489c' to '/home/runner/work/_actions/google-github-actions/setup-gcloud/v3'
2026-04-13T19:07:50.9274889Z ##[debug]Archive '/home/runner/work/_actions/_temp_228ff634-3bab-425e-9013-1ff6ed0603ad/9fccdd66-c180-4501-8a93-bc28b6189a0d.tar.gz' has been unzipped into '/home/runner/work/_actions/google-github-actions/setup-gcloud/v3'.
2026-04-13T19:07:50.9306022Z Download action repository 'docker/login-action@v3' (SHA:c94ce9fb468520275223c153574b00df6fe4bcc9)
2026-04-13T19:07:51.1331093Z ##[debug]Download 'https://api.github.com/repos/docker/login-action/tarball/c94ce9fb468520275223c153574b00df6fe4bcc9' to '/home/runner/work/_actions/_temp_5d30db52-0c36-412a-932e-d76867242a01/8b728113-0139-46f7-b05a-fc232a812793.tar.gz'
2026-04-13T19:07:51.2511177Z ##[debug]Unwrap 'docker-login-action-c94ce9f' to '/home/runner/work/_actions/docker/login-action/v3'
2026-04-13T19:07:51.2628660Z ##[debug]Archive '/home/runner/work/_actions/_temp_5d30db52-0c36-412a-932e-d76867242a01/8b728113-0139-46f7-b05a-fc232a812793.tar.gz' has been unzipped into '/home/runner/work/_actions/docker/login-action/v3'.
2026-04-13T19:07:51.2674444Z Download action repository 'google-github-actions/deploy-cloudrun@v1' (SHA:e62f655d5754bec48078a72edc015367b01ee97b)
2026-04-13T19:07:51.5105252Z ##[debug]Download 'https://api.github.com/repos/google-github-actions/deploy-cloudrun/tarball/e62f655d5754bec48078a72edc015367b01ee97b' to '/home/runner/work/_actions/_temp_11d3ca15-d0a1-436c-8791-d7761c830e31/ab5903e6-74ff-4341-8ac4-c7d4d4f22e4f.tar.gz'
2026-04-13T19:07:51.5269807Z ##[debug]Unwrap 'google-github-actions-deploy-cloudrun-e62f655' to '/home/runner/work/_actions/google-github-actions/deploy-cloudrun/v1'
2026-04-13T19:07:51.5317228Z ##[debug]Archive '/home/runner/work/_actions/_temp_11d3ca15-d0a1-436c-8791-d7761c830e31/ab5903e6-74ff-4341-8ac4-c7d4d4f22e4f.tar.gz' has been unzipped into '/home/runner/work/_actions/google-github-actions/deploy-cloudrun/v1'.
2026-04-13T19:07:51.5337471Z ##[debug]action.yml for action: '/home/runner/work/_actions/google-github-actions/auth/v3/action.yml'.
2026-04-13T19:07:51.5499215Z ##[debug]action.yml for action: '/home/runner/work/_actions/google-github-actions/setup-gcloud/v3/action.yml'.
2026-04-13T19:07:51.5572636Z ##[debug]action.yml for action: '/home/runner/work/_actions/docker/login-action/v3/action.yml'.
2026-04-13T19:07:51.5635115Z ##[debug]action.yml for action: '/home/runner/work/_actions/google-github-actions/deploy-cloudrun/v1/action.yml'.
2026-04-13T19:07:51.5932909Z ##[debug]Register post job cleanup for action: /./.github/actions/deploy_docker_service
2026-04-13T19:07:51.5968802Z ##[debug]Loading inputs
2026-04-13T19:07:51.5983427Z ##[debug]Evaluating: secrets.GCP_PROJECT_ID
2026-04-13T19:07:51.5984602Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.5985592Z ##[debug]..Evaluating secrets:
2026-04-13T19:07:51.5986595Z ##[debug]..=> Object
2026-04-13T19:07:51.5987483Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.5988497Z ##[debug]..=> 'GCP_PROJECT_ID'
2026-04-13T19:07:51.5989871Z ##[debug]=> '***'
2026-04-13T19:07:51.5990769Z ##[debug]Result: '***'
2026-04-13T19:07:51.5992240Z ##[debug]Evaluating: secrets.GCP_IDENTITY
2026-04-13T19:07:51.5993306Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.5994249Z ##[debug]..Evaluating secrets:
2026-04-13T19:07:51.5995250Z ##[debug]..=> Object
2026-04-13T19:07:51.5996122Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.5997111Z ##[debug]..=> 'GCP_IDENTITY'
2026-04-13T19:07:51.5998755Z ##[debug]=> '***'
2026-04-13T19:07:51.6000283Z ##[debug]Result: '***'
2026-04-13T19:07:51.6001489Z ##[debug]Evaluating: secrets.GCP_SERVICE_ACCOUNT
2026-04-13T19:07:51.6002961Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6003900Z ##[debug]..Evaluating secrets:
2026-04-13T19:07:51.6004845Z ##[debug]..=> Object
2026-04-13T19:07:51.6005751Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6006790Z ##[debug]..=> 'GCP_SERVICE_ACCOUNT'
2026-04-13T19:07:51.6008133Z ##[debug]=> '***'
2026-04-13T19:07:51.6009322Z ##[debug]Result: '***'
2026-04-13T19:07:51.6010535Z ##[debug]Evaluating: secrets.ARTIFACT_URL
2026-04-13T19:07:51.6011588Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6012661Z ##[debug]..Evaluating secrets:
2026-04-13T19:07:51.6013596Z ##[debug]..=> Object
2026-04-13T19:07:51.6014454Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6015438Z ##[debug]..=> 'ARTIFACT_URL'
2026-04-13T19:07:51.6016810Z ##[debug]=> '***'
2026-04-13T19:07:51.6018125Z ##[debug]Result: '***'
2026-04-13T19:07:51.6019283Z ##[debug]Evaluating: secrets.GCP_REGION
2026-04-13T19:07:51.6020322Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6021234Z ##[debug]..Evaluating secrets:
2026-04-13T19:07:51.6022286Z ##[debug]..=> Object
2026-04-13T19:07:51.6023171Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6024145Z ##[debug]..=> 'GCP_REGION'
2026-04-13T19:07:51.6025164Z ##[debug]=> '***'
2026-04-13T19:07:51.6026068Z ##[debug]Result: '***'
2026-04-13T19:07:51.6029055Z ##[debug]Loading env
2026-04-13T19:07:51.6047216Z ##[group]Run ./.github/actions/deploy_docker_service
2026-04-13T19:07:51.6048318Z with:
2026-04-13T19:07:51.6049184Z   service: customer_portal_rest_controller_service
2026-04-13T19:07:51.6051392Z   docker_image: northamerica-northeast1-docker.pkg.dev/mynormative-prod/microservices/customer_portal_rest_controller_service:latest
2026-04-13T19:07:51.6053993Z   project_id: ***
2026-04-13T19:07:51.6055658Z   workload_identity_provider: ***
2026-04-13T19:07:51.6057011Z   service_account: ***
2026-04-13T19:07:51.6058535Z   artifact_url: ***
2026-04-13T19:07:51.6059585Z   run-service-name: customer-portal-rest-controller-service
2026-04-13T19:07:51.6060899Z   gcp_region: ***
2026-04-13T19:07:51.6061679Z ##[endgroup]
2026-04-13T19:07:51.6127236Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.6130829Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.6132625Z ##[debug]Evaluating success:
2026-04-13T19:07:51.6134397Z ##[debug]=> true
2026-04-13T19:07:51.6135689Z ##[debug]Result: true
2026-04-13T19:07:51.6144297Z ##[debug]Starting: run
2026-04-13T19:07:51.6222846Z ##[debug]Register post job cleanup for action: google-github-actions/auth@v3
2026-04-13T19:07:51.6248987Z ##[debug]Loading inputs
2026-04-13T19:07:51.6252815Z ##[debug]Evaluating: inputs.project_id
2026-04-13T19:07:51.6253889Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6255056Z ##[debug]..Evaluating inputs:
2026-04-13T19:07:51.6256025Z ##[debug]..=> Object
2026-04-13T19:07:51.6256905Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6257867Z ##[debug]..=> 'project_id'
2026-04-13T19:07:51.6258959Z ##[debug]=> '***'
2026-04-13T19:07:51.6259850Z ##[debug]Result: '***'
2026-04-13T19:07:51.6261174Z ##[debug]Evaluating: inputs.workload_identity_provider
2026-04-13T19:07:51.6262505Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6263432Z ##[debug]..Evaluating inputs:
2026-04-13T19:07:51.6264374Z ##[debug]..=> Object
2026-04-13T19:07:51.6265238Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6266227Z ##[debug]..=> 'workload_identity_provider'
2026-04-13T19:07:51.6267962Z ##[debug]=> '***'
2026-04-13T19:07:51.6269495Z ##[debug]Result: '***'
2026-04-13T19:07:51.6270661Z ##[debug]Evaluating: inputs.service_account
2026-04-13T19:07:51.6271740Z ##[debug]Evaluating Index:
2026-04-13T19:07:51.6272786Z ##[debug]..Evaluating inputs:
2026-04-13T19:07:51.6273721Z ##[debug]..=> Object
2026-04-13T19:07:51.6274597Z ##[debug]..Evaluating String:
2026-04-13T19:07:51.6275544Z ##[debug]..=> 'service_account'
2026-04-13T19:07:51.6276818Z ##[debug]=> '***'
2026-04-13T19:07:51.6277996Z ##[debug]Result: '***'
2026-04-13T19:07:51.6304644Z ##[debug]Loading env
2026-04-13T19:07:51.6319426Z ##[group]Run google-github-actions/auth@v3
2026-04-13T19:07:51.6320458Z with:
2026-04-13T19:07:51.6321219Z   token_format: access_token
2026-04-13T19:07:51.6322337Z   project_id: ***
2026-04-13T19:07:51.6324006Z   workload_identity_provider: ***
2026-04-13T19:07:51.6325351Z   service_account: ***
2026-04-13T19:07:51.6326226Z   create_credentials_file: true
2026-04-13T19:07:51.6327217Z   export_environment_variables: true
2026-04-13T19:07:51.6328224Z   universe: googleapis.com
2026-04-13T19:07:51.6329127Z   cleanup_credentials: true
2026-04-13T19:07:51.6330043Z   access_token_lifetime: 3600s
2026-04-13T19:07:51.6331322Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2026-04-13T19:07:51.6332968Z   id_token_include_email: false
2026-04-13T19:07:51.6333884Z ##[endgroup]
2026-04-13T19:07:51.7238347Z ##[debug]Using workload identity provider "***"
2026-04-13T19:07:51.7248055Z ##[debug]ID token url is https://run-actions-2-azure-eastus.actions.githubusercontent.com/42//idtoken/baeb7e3d-e9ad-46b9-a14d-337ef0e89b86/60484a81-4a45-58ac-ae75-cc1f68fcca0e?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2F***
2026-04-13T19:07:51.7880883Z ::add-mask::***
2026-04-13T19:07:51.7892825Z ##[debug]WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/***
2026-04-13T19:07:51.7896970Z ##[debug]Creating credentials file
2026-04-13T19:07:51.7908538Z ##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Enabling service account impersonation via https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken
2026-04-13T19:07:51.7921515Z ##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Creating credentials, {
2026-04-13T19:07:51.7925667Z ##[debug]  "outputPath": "/home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json"
2026-04-13T19:07:51.7928402Z ##[debug]}
2026-04-13T19:07:51.8004468Z Created credentials file at "/home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json"
2026-04-13T19:07:51.8014916Z ##[debug]WorkloadIdentityFederationClient.getToken: Built request, {
2026-04-13T19:07:51.8017270Z ##[debug]  "method": "POST",
2026-04-13T19:07:51.8019080Z ##[debug]  "path": "https://sts.googleapis.com/v1/token",
2026-04-13T19:07:51.8021030Z ##[debug]  "headers": {},
2026-04-13T19:07:51.8022657Z ##[debug]  "body": {
2026-04-13T19:07:51.8025855Z ##[debug]    "audience": "//iam.googleapis.com/***",
2026-04-13T19:07:51.8036573Z ##[debug]    "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
2026-04-13T19:07:51.8039561Z ##[debug]    "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
2026-04-13T19:07:51.8042799Z ##[debug]    "scope": "https://www.googleapis.com/auth/cloud-platform",
2026-04-13T19:07:51.8045810Z ##[debug]    "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
2026-04-13T19:07:51.8298951Z ##[debug]    "subjectToken": "***"
2026-04-13T19:07:51.8300649Z ##[debug]  }
2026-04-13T19:07:51.8301851Z ##[debug]}
2026-04-13T19:07:51.8524436Z ##[debug]Successfully generated auth token
2026-04-13T19:07:51.8545424Z ::add-mask::***
2026-04-13T19:07:51.8566140Z ##[debug]Creating access token
2026-04-13T19:07:51.8569851Z ##[debug]Using normal access token flow
2026-04-13T19:07:51.8573814Z ##[debug]IAMCredentialsClient.generateAccessToken: Built request, {
2026-04-13T19:07:51.8575944Z ##[debug]  "method": "POST",
2026-04-13T19:07:51.8579645Z ##[debug]  "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken",
2026-04-13T19:07:51.8582751Z ##[debug]  "headers": {
2026-04-13T19:07:51.8605803Z ##[debug]    "Authorization": "***"
2026-04-13T19:07:51.8607138Z ##[debug]  },
2026-04-13T19:07:51.8608288Z ##[debug]  "body": {
2026-04-13T19:07:51.8609517Z ##[debug]    "scope": [
2026-04-13T19:07:51.8611139Z ##[debug]      "https://www.googleapis.com/auth/cloud-platform"
2026-04-13T19:07:51.8612738Z ##[debug]    ],
2026-04-13T19:07:51.8613770Z ##[debug]    "lifetime": "3600s"
2026-04-13T19:07:51.8614751Z ##[debug]  }
2026-04-13T19:07:51.8615466Z ##[debug]}
2026-04-13T19:07:51.9310916Z ##[error]google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for ***: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}
2026-04-13T19:07:51.9350401Z ##[debug]Node Action run completed with exit code 1
2026-04-13T19:07:51.9360710Z ##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json'
2026-04-13T19:07:51.9362970Z ##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json'
2026-04-13T19:07:51.9364425Z ##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json'
2026-04-13T19:07:51.9365624Z ##[debug]CLOUDSDK_CORE_PROJECT='***'
2026-04-13T19:07:51.9366466Z ##[debug]CLOUDSDK_PROJECT='***'
2026-04-13T19:07:51.9367262Z ##[debug]GCLOUD_PROJECT='***'
2026-04-13T19:07:51.9368056Z ##[debug]GCP_PROJECT='***'
2026-04-13T19:07:51.9368852Z ##[debug]GOOGLE_CLOUD_PROJECT='***'
2026-04-13T19:07:51.9389209Z ##[debug]Set output credentials_file_path = /home/runner/work/Microservices/Microservices/gha-creds-612e4ce53adccc71.json
2026-04-13T19:07:51.9390766Z ##[debug]Set output project_id = ***
2026-04-13T19:07:51.9399055Z ##[debug]Set output auth_token = ***
2026-04-13T19:07:51.9408068Z ##[debug]Finished: run
2026-04-13T19:07:51.9417686Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.9421166Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.9422780Z ##[debug]Evaluating success:
2026-04-13T19:07:51.9423992Z ##[debug]=> false
2026-04-13T19:07:51.9425064Z ##[debug]Result: false
2026-04-13T19:07:51.9429041Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.9431451Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.9432783Z ##[debug]Evaluating success:
2026-04-13T19:07:51.9433827Z ##[debug]=> false
2026-04-13T19:07:51.9434890Z ##[debug]Result: false
2026-04-13T19:07:51.9437825Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.9440222Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.9441298Z ##[debug]Evaluating success:
2026-04-13T19:07:51.9442541Z ##[debug]=> false
2026-04-13T19:07:51.9443604Z ##[debug]Result: false
2026-04-13T19:07:51.9446516Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.9448905Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.9450148Z ##[debug]Evaluating success:
2026-04-13T19:07:51.9451227Z ##[debug]=> false
2026-04-13T19:07:51.9452581Z ##[debug]Result: false
2026-04-13T19:07:51.9455532Z ##[debug]Evaluating condition for step: 'run'
2026-04-13T19:07:51.9457876Z ##[debug]Evaluating: success()
2026-04-13T19:07:51.9458952Z ##[debug]Evaluating success:
2026-04-13T19:07:51.9459993Z ##[debug]=> false
2026-04-13T19:07:51.9461035Z ##[debug]Result: false
2026-04-13T19:07:51.9473032Z ##[debug]Finishing: Deploy Customer Portal Rest Controller Service

Additional information

I've checked the attribute settings and they match other environments.

This same script works for other environments with the same actions.

I've gone through the troubleshooting docs

I've checked that the correct permissions, including the roles.iam.workloadIdentityUser are granted. As hinted in the docs above.

[github-actions]

Hi there @cadaniel 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.