From 483e21d72336e1e585247ca064b4fd7b3195381b Mon Sep 17 00:00:00 2001
From: Broc Seib <broc.seib@gmail.com>
Date: Tue, 21 Feb 2023 09:06:08 -0500
Subject: [PATCH] Updated troubleshooting to add permissions example (#262)

<!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
-->

Added another case that can cause `auth` to fail, helpful to users on
day one of using the tool and trying to understand what's happening.

Fixes
https://github.com/google-github-actions/auth/issues/260#issuecomment-1419662751
---
 docs/TROUBLESHOOTING.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
index 34d49762..d47c069e 100644
--- a/docs/TROUBLESHOOTING.md
+++ b/docs/TROUBLESHOOTING.md
@@ -35,7 +35,7 @@ further debug:
     libraries. Please note that we do not have control over actions outside of
     `google-github-actions`.
 
-If your workflow _fails_ after adding the the step to generate an access token,
+If your workflow _fails_ after adding the step to generate an access token,
 it likely means there is a misconfiguration with Workload Identity. Here are
 some common sources of errors:
 
@@ -55,6 +55,15 @@ some common sources of errors:
     **number**. Workload Identity Federation does not accept Google Cloud
     Project IDs.
 
+1.  Ensure that you have the correct `permissions:` for the job in your workflow, per
+    the [usage](../README.md#usage) docs, i.e.
+
+    ```yaml
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    ```
+
 1.  Ensure you have created an **Attribute Mapping** for any **Attribute
     Conditions** or **Service Account Impersonation** principals. You cannot
     create an Attribute Condition unless you map that value from the incoming