setup_workload_identity.sh no longer works

[anguillanneuf]

TL;DR

This convenience script to set up auth from GitHub Actions to Google Cloud worked last year in the November timeframe but no longer works now. It throws this error:

Expected behavior

No response

Observed behavior

No response

Action YAML

N/A

Log output

yarabaelish_835850@cloudshell:~ (festive-nova-476819)$ ./setup_workload_identity.sh --repo yarabaelish-demo/speckit --project festive-nova-476819
🚀 Starting Direct Workload Identity Federation setup
📦 Repository: yarabaelish-demo/speckit
☁️ Project: festive-nova-476819
🏊 Pool: github-68928269
🆔 Provider: gh-68928269

ℹ️  Verifying gcloud authentication...
✅ Authentication and project access verified
🚀 Step 1: Enabling required Google Cloud APIs
ERROR: (gcloud.services.enable) [yarabaelish.835850@gmail.com] does not have permission to access projects instance [festive-nova-476819] (or it may not exist): Bind permission denied for service: cloudcode-pa.googleapis.com
Service 'cloudcode-pa.googleapis.com' is an internal service; it requires explicit sharing with internal user/resource and cannot be used outside of its own organization.
Service cloudcode-pa.googleapis.com is not available to this consumer.
Help Token: AcxmRmLR4pJ9ewAYLFXjSJWgh6e-bbSkdvkBAh-WuV08oiTYVApPb29WE6h_q7JJAzbTaU4ApDjQ8hAR9q4_nwEMHxlqCpnVg9fMKT-D2ICeR8DB. This command is authenticated as yarabaelish.835850@gmail.com which is the active account specified by the [core/account] property
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: '110002'
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com
  reason: AUTH_PERMISSION_DENIED

Additional information

No response

[gemini-cli]

🤖 Hi @anguillanneuf, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[anguillanneuf]

@gsehgal You might be able to shed light on the service changes to cloudcode-pa.googleapis.com. I don't think we can directly enable this service using gcloud.

[anguillanneuf]

Another minor issue with the script is the lack of the ability to check for service account email character length. I hit Step 5 (as shown) and was informed that a service account had been created, even though it had not due to length issue (somehow the error did not show). This disrupted the flow.

🚀 Step 5: Create and Configure Service Account for Gemini CLI
ℹ️  Creating Service Account: gemini-cli-4de8375a
Created service account [gemini-cli-4de8375a].
✅ Service Account created: gemini-cli-4de8375a@festive-nova-476819.iam.gserviceaccount.com
ℹ️  Granting 'Cloud AI Companion User' role to Service Account...
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Service account gemini-cli-4de8375a@festive-nova-476819.iam.gserviceaccount.com does not exist.

[gsehgal]

Hi, Actually the code

https://github.com/google-gemini/gemini-cli/blob/main/packages/core/src/code_assist/server.ts#L62

uses 'https://cloudcode-pa.googleapis.com' which is internal api

this probably needs to be changed to a public facing API geminicodeassist.googleapis.com (check codeassist-integration-guide docs)
and also the setup script will need to change to include geminicodeassist.googleapis.com