Issues with GCP OIDC Integration in Bitbucket Pipelines

Question

I'm trying to set up integration between Bitbucket Pipelines and GCP using OIDC to access GCP resources (e.g., list GCP storage buckets). Despite following all the steps outlined in the Atlassian Community guide, I encounter the following error:

ERROR: (gcloud.storage.buckets.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\n  "error": {\n    "code": 403,\n    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",\n    "status": "PERMISSION_DENIED",\n    "details": [\n      {\n        "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n        "reason": "IAM_PERMISSION_DENIED",\n        "domain": "iam.googleapis.com",\n        "metadata": {\n          "permission": "iam.serviceAccounts.getAccessToken"\n        }\n      }\n    ]\n  }\n}\n')

Please run:
  $ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account, run:
  $ gcloud config set account ACCOUNT
to select an already authenticated account to use. 

Steps I followed:

1. Created a Workload Identity Pool in GCP:

   gcloud beta iam workload-identity-pools create bitbucket-pipelines-oidc-demo \
     --location="global" \
     --description="A workload identity pool for Bitbucket Pipelines" \
     --display-name="bitbucket-pipelines-oidc-demo" 
   

2. Created an OIDC Provider

   gcloud beta iam workload-identity-pools providers create-oidc bitbucket-oidc-idp \
     --workload-identity-pool="bitbucket-pipelines-oidc-demo" \
     --issuer-uri="https://api.bitbucket.org/2.0/workspaces/my-workspace/pipelines-config/identity/oidc" \
     --location="global" \
     --attribute-mapping="google.subject=assertion.sub,attribute.workspace_uuid=assertion.workspaceUuid" \
     --allowed-audiences="ari:cloud:bitbucket::workspace/my-workspace-uuid"
   
   

3. Created a Service Account in GCP

    gcloud iam service-accounts create my-service-account \
     --display-name="Service account for OIDC integration"
   
   

4. Bound the Service Account to the Workload Identity Pool.

   gcloud iam service-accounts add-iam-policy-binding my-service-account@my-project.iam.gserviceaccount.com \
     --role="roles/iam.workloadIdentityUser" \
     --member="principalSet://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/attribute.workspace_uuid/my-workspace-uuid"
   

5. Granted Permissions to the Service Account

    gcloud projects add-iam-policy-binding my-project \
    --member="serviceAccount:my-service-account@my-project.iam.gserviceaccount.com" \
    --role="roles/storage.viewer"
   
   

6. Apply (serviceAccountTokenCreator)

   gcloud projects add-iam-policy-binding my-project \
     --member="serviceAccount:my-service-account@my-project.iam.gserviceaccount.com" \
     --role="roles/iam.serviceAccountTokenCreator"
   
   

7. Configured the Bitbucket Pipeline. Here is my bitbucket-pipelines.yml file

      image: google/cloud-sdk:alpine
    
      pipelines:
        default:
          - step:
              name: Test OIDC with GCP
              oidc: true
              script:
                # Save OIDC token to a file
                - echo -n "${BITBUCKET_STEP_OIDC_TOKEN}" > /tmp/gcp_access_token.out
    
                # Create GCP credentials
                - |
                  gcloud iam workload-identity-pools create-cred-config \
                    projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/providers/bitbucket-oidc-idp \
                    --service-account="my-service-account@my-project.iam.gserviceaccount.com" \
                    --output-file=/tmp/sts-creds.json \
                    --credential-source-file=/tmp/gcp_access_token.out
    
                # Export credentials
                - export GOOGLE_APPLICATION_CREDENTIALS=/tmp/sts-creds.json
    
                # Authenticate and list buckets
                - gcloud auth login --cred-file=/tmp/sts-creds.json
                - gcloud storage buckets list

Observed Issue:

• The pipeline fails at the step where it tries to list the buckets, returning the error mentioned above.

• It appears that the service account does not have sufficient permissions to impersonate itself or access the iam.serviceAccounts.getAccessToken permission.

Questions:

• What am I missing in the configuration? Are there additional permissions or roles required?

• Is the issue related to how the credentials are generated or passed in the pipeline?

• Could there be a problem with the OIDC token itself, and how can I debug it?