CODEWITHSUNDEEP
google-cloud-platformgoogle-cloud-iam
Mistic92
Mistic92

Reputation: 143

Gitlab connection to GCP Workload Identity Federation return invalid_grant

yesterday I saw that Gitlab has enabled OIDC JWT tokens for jobs on ci/cd. I know that CI_JOB_JWT_V2 is marked as an alpha feature.

I was trying to use it with Workflow Identity Federation(WIF) on Gitlab runner with gcloud cli but I'm getting an error. When tried to do it through STS API I'm getting the same error. What am I missing?

{
    "error": "invalid_grant",
    "error_description": "The audience in ID Token [https://gitlab.com] does not match the expected audience."
}

My Gitlab JWT token after decoding looks mostly like that (ofc without details)

{
  "namespace_id": "1111111111",
  "namespace_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz",
  "project_id": "<project_id>",
  "project_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service",
  "user_id": "<user_id>",
  "user_login": "<username>",
  "user_email": "<user_email>",
  "pipeline_id": "456971569",
  "pipeline_source": "push",
  "job_id": "2019605390",
  "ref": "develop",
  "ref_type": "branch",
  "ref_protected": "true",
  "environment": "develop",
  "environment_protected": "false",
  "jti": "<jti>",
  "iss": "https://gitlab.com",
  "iat": <number>,
  "nbf": <number>,
  "exp": <number>,
  "sub": "project_path:xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service:ref_type:branch:ref:develop",
  "aud": "https://gitlab.com"
}

In GCP console I have WIF pool with one provider set to OIDC named gitlab and issuer url from https://gitlab.com/.well-known/openid-configuration.

I have tried to give Service Account access to whole pool but no difference. Config created for this SA looks like below

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/<projectnumber>/locations/global/workloadIdentityPools/<poolname>/providers/gitlab",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/gitlab-deployer@<projectid>.iam.gserviceaccount.com:generateAccessToken",
  "credential_source": {
    "file": "gitlab_token",
    "format": {
      "type": "text"
    }
  }
}

Upvotes: 0

Views: 1734

Answers (1)

Johannes Passing
Johannes Passing

Reputation: 2805

By default, workload identity federation expects the aud claim to contain the URL of the workload identity pool provider. This URL looks like this:

https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID

But your token seems to use https://gitlab.com as audience.

Either reconfigure GitHub to use the workload identity pool provider URL as audience, or reconfigure the pool to use a custom audience by running

gcloud iam workload-identity-pools providers update-oidc ... \
  --allowed-audiences=https://gitlab.com

Upvotes: 3

Related Questions