CODEWITHSUNDEEP
google-cloud-platformgitlab-ciservice-accountsgoogle-iam
SullivanF
SullivanF

Reputation: 1

GCP - Workload Identity Federation : AccessDeniedException: 403 Permission

I’m working on a new GitLab CI pipeline with GCP. I’ve created a service account, but due to security restrictions, I cannot create an SSH key. Instead, I’m using Workload Identity Federation. I’ve set up a Pool and added my provider.

Here’s what my CI configuration looks like:

deploy_to_gae:
  stage: deploy
  id_tokens:
    ID_TOKEN:
      aud: "//iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../providers/..."
    SIGSTORE_ID_TOKEN:
      aud: "sigstore"
  tags:
    - runner1
  script:
    - echo ${ID_TOKEN} > .ci_jwt_v2
    - gcloud iam workload-identity-pools create-cred-config projects/.../locations/global/workloadIdentityPools/.../providers/... --service-account="[email protected]" --output-file=.gcp_credentials.json --credential-source-file=.ci_jwt_v2

    - gcloud auth login --cred-file=`pwd`/.gcp_credentials.json
    - cat .gcp_credentials.json
    - gcloud config set project $GCP_PROJECT_ID
    - gcloud app deploy --quiet
  only:
    - main

However, I’m encountering this error in the logs:

$ echo ${ID_TOKEN} > .ci_jwt_v2
$ gcloud iam workload-identity-pools create-cred-config projects/.../locations/global/workloadIdentityPools/.../providers/... --service-account="[email protected]" --output-file=.gcp_credentials.json --credential-source-file=.ci_jwt_v2
Created credential configuration file [.gcp_credentials.json].
$ gcloud auth login --cred-file=`pwd`/.gcp_credentials.json
Authenticated with external account credentials for: [[email protected]].
Your current project is [None].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID
$ cat .gcp_credentials.json
{
  "universe_domain": "googleapis.com",
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../providers/...",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "file": ".ci_jwt_v2"
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
}$ gcloud config set project $GCP_PROJECT_ID
ERROR: (gcloud.config.set) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\n  "error": {\n    "code": 403,\n    "message": "Permission \'iam.serviceAccounts.getAccessToken\' denied on resource (or it may not exist).",\n    "status": "PERMISSION_DENIED",\n    "details": [\n      {\n        "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n        "reason": "IAM_PERMISSION_DENIED",\n        "domain": "iam.googleapis.com",\n        "metadata": {\n          "permission": "iam.serviceAccounts.getAccessToken"\n        }\n      }\n    ]\n  }\n}\n')

I’ve already granted several permissions (I’ll remove unnecessary roles later), but the error persists. Here are the permissions I’ve applied:

bindings:
- members:
  - serviceAccount:[email protected]
  role: roles/appengine.serviceAgent
- members:
  - serviceAccount:[email protected]
  role: roles/appengineflex.serviceAgent
- members:
  - serviceAccount:[email protected]
  role: roles/iam.serviceAccountAdmin
- members:
  - serviceAccount:[email protected]
  role: roles/iam.serviceAccountOpenIdTokenCreator
- members:
  - principal://iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../subject/...
  - principalSet://iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../attribute.repository/clients/...
  - principalSet://iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../attribute.repository/...
  - principalSet://iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../attribute.repository/...
  - serviceAccount:[email protected]
  - user:...@...
  role: roles/iam.serviceAccountTokenCreator
- members:
  - principalSet://iam.googleapis.com/projects/.../locations/global/workloadIdentityPools/.../attribute.repository/clients/...
  - serviceAccount:[email protected]
  role: roles/iam.serviceAccountUser
- members:
  - serviceAccount:[email protected]
  role: roles/iam.workloadIdentityUser
etag: BwYiTdmWSfM=
version: 1

If anyone has any ideas or solutions, your help would be greatly appreciated!

Upvotes: 0

Views: 142

Answers (0)

Related Questions