WIP: catch id-token perm error

andreaso · Mar 31, 2024 · 69d56e8 · 69d56e8
1 parent 1d64cf3
commit 69d56e8
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/vault_oidc_ssh_cert_action.py b/vault_oidc_ssh_cert_action.py
@@ -27,8 +27,17 @@ def _determine_audience(input_audience: str, vault_server: str) -> str:
 
 
 def _issue_github_jwt(jwt_aud: str) -> str:
-    req_token = os.environ["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
-    req_url = os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"]
+    try:
+        req_token = os.environ["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
+        req_url = os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"]
+    except KeyError as key_error:
+        title = "GitHub Actions workflow/job permission error"
+        helper_url = "https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings"
+        message = "The `id-token: write` permission appear to be missing."
+        message += f" See {helper_url} for more info."
+        _set_error_message(title, message)
+        raise VoscaError(title) from key_error
+
     full_url = f"{req_url}&audience={jwt_aud}"
     headers = {"Authorization": f"Bearer {req_token}"}