Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to parse service account key JSON credentials: unexpected token \ in JSON at position 1

[rahul4tem]

TL;DR

I am fetching raw JSON file similar to (#315) from vault secrets in github actions, but the format is getting changed while trying to retrieve with this action. The issue started yesterday, I had tried with github secrets and is working fine, but not with vault secrets.
No change is done in JSON file/configurations.

Expected behavior

Proper JSON format for vault secrets for github actions

Observed behavior

Original JSON file from vault is getting changed to {\n"type": "*******",\n"project_id": "",\n"private_key_id":........\n} while fetching in github actions

Action YAML

- id: auth
      uses: google-github-actions/auth@v0
      with:
        credentials_json: ${{ steps.import-secrets.outputs.GOOGLE_CREDS }}
 ###Tried with env.GOOGLE_CREDS as well

Log output

Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to parse service account key JSON credentials: unexpected token \ in JSON at position 1

Additional information

The configuration was working fine till yesterday and nothing has been changed from our end. I was monitoring the ticket (#315), but I want to fetch from vault and not from Github secrets.
Note: with Github secrets this is working fine

Existing file format:

{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

[github-actions]

Hi there @rahul4tem 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @rahul4tem - this feels like a duplicate of #315. What is the value of steps.import-secrets.outputs.GOOGLE_CREDS? #315 was also about fetching from Vault, so I wonder if there was a Vault API change.

[sethvargo]

Duplicate of hashicorp/vault-action#469

[sdsani]

Hello there. I have posted a comment at #315 since I am getting same error. My use case is exact same.
It started recently, if I store same creds (single line/multiline) in github action secrets then it works, however, when it is pulled from vault, it fails. Below is my test flow.

I have tried logging pulled jason using echo command also and I don't see any issue with it. Please advise

name: Test Flow
on:
workflow_dispatch:

permissions:
contents: read
id-token: write

jobs:
test:
name: Vault connect test
runs-on: docker-new

 steps:
   - name: Checkout
     uses: actions/checkout@v3

   - name: Import Secrets
     id: secrets
     uses: hashicorp/vault-action@v2
     with:
       method: jwt
       url: https://domainname:8200
       namespace: XX001
       role: XXXXX
       exportToken: true
       secrets: |
         path gke_sa_key | GKE_KEY

   - id: auth
     name: 'Authenticate to Google Cloud'
     uses: 'google-github-actions/auth@v1'
     with:
       credentials_json: ${{ steps.secrets.outputs.GKE_KEY }}

[sdsani]

I am able to test/validate and this issue is result of #469 mentioned above. Using 2.6.0 solves this problem so will use that.