403 error when trying to call cloud functions from GKE cluster

Question

For context, I am sending a POST request to an API that I deployed onto a GKE cluster. The setup was successful, but I am running into the following error when I send the POST to the externally-facing endpoint.

Status: 403 Response:\nb"Failed to generate identity token; IAM returned 403 Forbidden: Permission 'iam.serviceAccounts.getOpenIdToken' denied on resource (or it may not exist).

This exact error is occurring when my API is trying to call a cloud function.

My cluster has workload identity enabled, and is running using my project's default compute engine service account (SA1). I have annotated the cluster's service account yaml file, with the service account of the cloud function that it is trying to call (SA2). They all have workload identity user and service account token creator roles, so the above permission should be provisioned to any of the service accounts involved in this workflow. How can I resolve this error and call the cloud function successfully from the GKE cluster?

NOTE: I have looked at a similar post: Unable to access cloud function from GKE Cluster

However, there was no resolution on that end.

Answer 1

I figured out my issue.

I didn't set up the Kubernetes service account properly. I should've given workload identity user and cloud functions invoker + admin roles onto the kubernetes service account associated to the workload identity of the cluster.

I did not see this service account appear in the IAM section (it should be something of the form principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<project_id>.svc.id.goog/subject/ns/<namespace>/sa/<kubernetes service account>). Make sure to provision this service account with the exact permissions needed to access the APIs that you need to access from the cluster. In this case, I gave the roles Cloud Function Admin and Cloud Function Invoker and it solved my access issue.