GCP-auth runs into Invalid OAuth scope or ID token audience provided. when the service account only has access to the Artifact Registry.

[seperman]

What Happened?

I created a minikube instance with gcp-auth addon. The service key was passed to the addon via the env variable.
GCP auth does not create a secret as expected. Looking at the logs:

2024/07/25 17:56:45 GCP Auth Webhook started!
2024/07/25 17:56:45 creating pull secret: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_scope","error_description":"Invalid OAuth scope or ID token audience provided."}

The key works is a read only key for GCP Artifact Registry .
Looking at similar issues, probably the reason is that a scope needs to be passed: https://developers.google.com/identity/protocols/oauth2/service-account#error-codes

Attach the log file

log.txt

Operating System

Ubuntu

Driver

KVM2

[medyagh]

Thanks for creating the issue, does that prevent the addon from being enabled and attaching the secrets to the pods ?

I would be happy to review a PR that fixes this

[seperman]

Hi @medyagh
Thanks for the prompt response. Yes, it doesn't create any secrets so in my case, I get ImagePullBackOff because the pods can't authenticate to GCP Artifact Registry.
Unfortunately I don't have enough experience with Go to take the initiative to make a PR for an important project like Minikube.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale