This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Using workload Identity federation AWS ECS

Posted on 04-29-2024 09:25 AM
TridentChase
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

How would one go about setting up workload identity federation for AWS ECS (container service)? 

IMDS url for EC2 instance - http://169.254.169.254/latest/meta-data/iam/security-credentials 

URL for ECS - http://169.254.170.2/get-credentials

When I try to use the config file that's generated after setting up WIF as per Google docs, I see "Failed to retrieve AWS credentials" exception in my application running on AWS ECS.

I used java gcp sdk to retrieve google credentials - 

String base64EncodedGCPCredentials = credentialsMap.get("base64EncodedGCPCredentials")

GoogleCredentials credentials = GoogleCredentials.fromStream(new ByteArrayInputStream(Base64.getDecoder().decode(base64EncodedGCPCredentials)));
Dns dns = DnsOptions.newBuilder()
.setCredentials(credentials)
.setProjectId(projectId)
.build()
.getService();

Any pointers on how to handle authentication using WIF with AWS ECS?

2 4 1,377
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
MaxImbrox
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @TridentChase.,

have you followed the GCP official documentation? 
--> https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds

Posted on --/--/---- --:-- AM
TridentChase
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @MaxImbrox ,

Yes I did. I see this 403 error when I try to use the service : 

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/cloud-dns@gcp-tcore.iam.gservice...

{
  "error": {
   "code": 403,
   "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
   "errors": [
    {
     "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
     "domain": "global",
     "reason": "forbidden"
    }
   ],
   "status": "PERMISSION_DENIED",
   "details": [
    {
     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
     "reason": "IAM_PERMISSION_DENIED",
     "domain": "iam.googleapis.com",
     "metadata": {
      "permission": "iam.serviceAccounts.getAccessToken"
     }
    }
   ]
  }
 }

The service account being used does have iam.serviceAccounts.getAccessToken and I've double checked it. 

Posted on --/--/---- --:-- AM
ffd
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Has anyone found a solution to this?
I am having the same problem

Posted on --/--/---- --:-- AM
TridentChase
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We used the below steps to fix the issue :

  1. Set attribute.aws_role in attribute mapping to assertion.arn.extract('assumed-role/{role}/')
  2. Set attribute.aws_role="career-ecs"

We noticed that for ecs, when getCallerIdentity is called, it returns career-ecs as the assumed role. 

P.S we used service account impersonation 

Top Labels in this Space
Top Solution Authors
View all