Reputation: 83
invalid_request when calling https://sts.googleapis.com/v1/token API
I am attempting to call the https://sts.googleapis.com/v1/token API from AWS Lambda to perform a workload identity federation and getting the error {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
Input:
{ "subjectToken": "[EncodedSigv4token]", "audience": "//iam.googleapis.com/projects/[projectID]/locations/global/workloadIdentityPools/awspool/providers/alpha", "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/cloud-platform", "subjectTokenType": "urn:ietf:params:aws:token-type:aws4_request" }
I am not able to figure out what this error means and how to resolve this. I am following https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#rest to make the STS API call.
Upvotes: 2
Views: 1291
Answers (2)
Reputation: 3247
In a different setup where you work with Gitlab-CI (for example the terraform in gitlab-ci sends the requests to GCP) the following can happen:
Gitlab sends a JWT token to Google for authentication and attributes of the token are mapped to Google attributes at Google. The sub attribute is mapped to the google.subject attribute. And the sub attribute in the Gitlab claim looks like this:
project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}
https://docs.gitlab.com/ee/ci/cloud_services/index.html#configure-a-conditional-role-with-oidc-claims
If the terraform does not fit the size of the google.subject attribute, then it is probably because some part of the sub attribute is too long. Notice there is a branch_name, group and project in the format above!
So the error can happen if you are making a request from a Merge Request that has a longer branch name, or if your repository is nested too much (inside too many nested GitLab groups / directories).
Upvotes: 0
Reputation: 83
The error I was facing was because the IAM Role ARN was too long in my case. Fixed the issue by giving a shorter name to assumed role. After that I was able to use Google workload identity federation successfully.
Upvotes: 3
Related Questions
- Invoking Google Cloud Run service using Workload Identity Federation
- Forbidden Error with Google Cloud Storage When Using Tokens from Workload Identity Federation with Descope
- GitLab CI/CD fails to connect with GCP using Workload Identity Federation and ID Tokens
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
- google cloud IAM workload identity federation with azure ad 'app registration'/'enterprise applications'