Error in service account access token generation using workload identity federation

Question

I have a service running on AWS, and I want to publish the message via Pubsub to GCP, so I use the workload identity federation to achieve it. My teammate built a workload identity federation with guidance and generated a JSON file with the type of "external_account." I passed this file with topic id and project id to GCP and tried to publish the message. However, I got an error in service account access token generation.

"message did not publish successfully: message did not publish successfully: 
rpc error: code = Unauthenticated desc = transport: 
per-RPC creds failed due to error: oauth2/google: unable to generate access token: 
Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>@<project_id>.iam.gserviceaccount.com:generateAccessToken\": 
Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials\": 
dial tcp 169.254.169.254:80: i/o timeout”

I don't understand what it means. I can say there's a timeout issue, but why? Can someone help me, please? Please share any ideas you have, much appreciated!

--Update My teammate created all the steps and I think the things like IAM role is created. I followed this document to verify if it work. And it returns the error above.

Answer 1

I was seeing exactly this error, when attempting Workload Identity authentication with GCP from AWS CodeBuild. For me the issue was that the metadata endpoint is not 169.254.169.254.169 in CodeBuild. Instead it is http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. However, it is required to use the 169.254.169.254 endpoint. The only way I can see to resolve this is to avoid the use of the metadata endpoint to fetch the creds by setting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY as environment variables.

AWS metadata end point not available in CodeBuild and https://github.com/ohsawa0515/aws-ecs-gcp-workload-identity-federation/tree/main have more detail.