Hello there
I followed the documentation(https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds) to give access to a lambda function to gcp.
And I used this: https://github.com/googleapis/google-auth-library-nodejs?tab=readme-ov-file#using-external-identities
If I used new GoogleAuth I get
{ "errorType": "Error",
"errorMessage": "403 undefined: Getting metadata from plugin failed with error: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"code": 403,
"details": "Getting metadata from plugin failed with error: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist)."}
As it’s written in the documentation, the service account should have all the permissions that I want to grant to the principal, in this case my lambda. And the apis are enabled too and the permssions for the service account are: Service Account Token Creator, Viewer and Workload Identity User.
If I use new AwsClient and manually typed everything that is in the config file generated by google I get this:
{
"errorType": "TypeError",
"errorMessage": "this.auth.getUniverseDomain is not a function",
"stack": [
"TypeError: this.auth.getUniverseDomain is not a function",
" at GrpcClient.createStub (/var/task/node_modules/google-gax/build/src/grpc.js:312:54)"
]
}
These are the versions I’m using for google-auth-library
google-gax@4.3.8
└── google-auth-library@9.13.0
Can someone please tell me what am I doing wrong?
Thanks!