Error in service account access token generation using workload identity federation

Google Cloud Serverless Applications
1

Hi! Not sure if it’s the right place to ask. I have a service running on AWS, and I want to publish the message via Pubsub to GCP, so I use the workload identity federation to achieve it. My teammate built a workload identity federation with guidance and generated a JSON file with the type of “external_account.” I passed this file with topic id and project id to GCP and tried to publish the message. However, I got an error in service account access token generation.

“message did not publish successfully: message did not publish successfully: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>@<project_id>.iam.gserviceaccount.com:generateAccessToken": Get "[http://169.254.169.254/latest/meta-data/iam/security-credentials\](http://169.254.169.254/latest/meta-data/iam/security-credentials\)”: dial tcp 169.254.169.254:80: i/o timeout”

I don’t know why I got this error. Can someone help me, please? Please share any ideas you have, much appreciated!

2

Actually no, is not the right place as the issue is mostly from AWS’s side. You can try an interconnection tool such as Digital Ocean.

3

Hi @DanielOrtega I got also the same issue when I try to access GCP with workload load identity with my local aws sts token.

I followed the instruction on https://cloud.google.com/iam/docs/workload-identity-federation, and it works if the workload is ec2 or lambda. But when I try it in local( for devs we firstly still need to test things in local), even aws sts token is right, the code snippet below:

const auth = new google.auth.GoogleAuth({
keyFile,
scopes: [‘https://www.googleapis.com/auth/spreadsheets’],
});
const authClient = await auth.getClient();
return google.sheets({
version: ‘v4’,
auth: authClient,
});

works for some time, but not most of the time..

4

I asked AWS support, they think it’s GCP side’s problem. Just wondering whether the google.auth.GoogleAuth supports reading local aws access tokens.