Workload Identity Between two GCPs: Keep getting accounts.google.com as ISS and WIF throws error

Google Cloud Cloud Foundations & Onboarding
1

We are new to setting up Workload Identity Federation. We need to ingest data from one GBQ to another GBQ across orgs. We must us WIF to setup access.

We decided to use OIDC token received from Google OpenID following https://medium.com/google-cloud/use-workload-identity-federation-with-another-gcp-project-98dc3b1c236c.

It worked on the same account but when testing across accounts, it always threw {“error”:“invalid_grant”,“error_description”:"The issuer in ID Token accounts.google.com does not match the expected ones: https://accounts.google.com."} .

Tried different approaches and now even tried going through gcloud cli.

On Gcloud CLI I am able to authenticate using the Provider config. Error doesn’t show up.

But when trying any resource access, like storage ls or bq query, I get the same above error all the time.

4 Likes
2

Hi @mais_an ,

The error message you are encountering is probably a cause of discrepancy between the issuer specified in the token and the resource you’re trying to access.

Checking Issuer Configuration:

  • Check the issuer URL specified in your WIF configuration across both accounts and it matches exactly with the issuer URL in the OIDC token received from Google OpenID.

Checking Service Account Permissions:

  • Verify that the service account you are using has the necessary permissions to access your BigQuery. You can grant the necessary permissions using IAM console or commands.
1 Like