Error Code 403 Permission iam.serviceAccounts.getAccessToken denied on resource

Google Cloud Serverless Applications
1

I am trying to test out getyAccessToken using the following curl command:

curl -X POST -H "Content-Type: application/json" \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/signal-simple-svc-acct@simple-signal-415623.iam.gserviceaccount.com:generateAccessToken

I receive the following error in response:

{
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

The service account (URL Removed by Staff) has the following permissions: Owner, Service Account Token Creator, Service Account OpenID Connect Identity Token Creator, and Workload Identity user. I have no idea why this is happening. Any help would be greatly appreciated. I have a developer account with no organization, and my app is hosted on an AWS EC2 instance. I am using the Cognito/Google integration, although that isn’t really in the picture right now. Thanks!

1 Like
2

Hello @jgnoonan1990 ,

Even though your service account has the roles, you may want to consider ensuring the specific permission iam.serviceAccounts.getAccessToken. Attaching here the documentation that you can check for reference.

3

@dionv really? but the roles he specified already have that permission. Im having this issue too and no clue what to do.