We are new to setting up Workload Identity Federation. We need to ingest data from one GBQ to another GBQ across orgs. We must us WIF to setup access.
We decided to use OIDC token received from Google OpenID following https://medium.com/google-cloud/use-workload-identity-federation-with-another-gcp-project-98dc3b1c23...
It worked on the same account but when testing across accounts, it always threw {"error":"invalid_grant","error_description":"The issuer in ID Token accounts.google.com does not match the expected ones: https://accounts.google.com."} .
Tried different approaches and now even tried going through gcloud cli.
On Gcloud CLI I am able to authenticate using the Provider config. Error doesn't show up.
But when trying any resource access, like storage ls or bq query, I get the same above error all the time.
Hi @mais_an,
The error message you are encountering is probably a cause of discrepancy between the issuer specified in the token and the resource you're trying to access.
Checking Issuer Configuration:
Checking Service Account Permissions: