This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Error in service account access token generation using workload identity federation

Posted on 06-02-2022 05:05 PM
zonglin
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi! Not sure if it's the right place to ask. I have a service running on AWS, and I want to publish the message via Pubsub to GCP, so I use the workload identity federation to achieve it. My teammate built a workload identity federation with guidance and generated a JSON file with the type of "external_account." I passed this file with topic id and project id to GCP and tried to publish the message. However, I got an error in service account access token generation.

"message did not publish successfully: message did not publish successfully: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2/google: unable to generate access token: Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>@<project_id>.iam.gserviceaccount.com:generateAccessToken\": Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials\": dial tcp 169.254.169.254:80: i/o timeout”

I don't know why I got this error. Can someone help me, please? Please share any ideas you have, much appreciated!

0 3 2,290
Topic Labels
0 Likes
Reply
3 REPLIES 3

Posted on --/--/---- --:-- AM
DanielOrtega
Former Googler
Reply posted on --/--/---- --:-- AM

Actually no, is not the right place as the issue is mostly from AWS’s side. You can try an interconnection tool such as Digital Ocean.

0 Likes
Reply

Posted on --/--/---- --:-- AM
Yoli
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @DanielOrtega I got also the same issue when I try to access GCP with workload load identity with my local aws sts token. 

I followed the instruction on https://cloud.google.com/iam/docs/workload-identity-federation, and it works if the workload is ec2 or lambda. But when I try it in local( for devs we firstly still need to test things in local), even aws sts token is right, the code snippet below:

 

const auth = new google.auth.GoogleAuth({
keyFile,
});
const authClient = await auth.getClient();
return google.sheets({
version: 'v4',
auth: authClient,
});
 
works for some time, but not most of the time..
 
 
0 Likes
Reply

Posted on --/--/---- --:-- AM
Yoli
Bronze 1
Bronze 1
In response to Yoli
Reply posted on --/--/---- --:-- AM

I asked AWS support, they think it's GCP side's problem. Just wondering whether the google.auth.GoogleAuth  supports reading local aws access tokens.

0 Likes
Reply
Top Labels in this Space