This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Workload Identity Between two GCPs: Keep getting accounts.google.com as ISS and WIF throws error

Posted 2 weeks ago
mais_an
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are new to setting up Workload Identity Federation. We need to ingest data from one GBQ to another GBQ across orgs. We must us WIF to setup access. 

 

We decided to use OIDC token received from Google OpenID following https://medium.com/google-cloud/use-workload-identity-federation-with-another-gcp-project-98dc3b1c23...

It worked on the same account but when testing across accounts, it always threw {"error":"invalid_grant","error_description":"The issuer in ID Token accounts.google.com does not match the expected ones: https://accounts.google.com."} . 

 

Tried different approaches and now even tried going through gcloud cli. 

 

On Gcloud CLI I am able to authenticate using the Provider config. Error doesn't show up. 

But when trying any resource access, like storage ls or bq query, I get the same above error all the time. 

4 1 186
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
JanR
Staff
Reply posted on --/--/---- --:-- AM

Hi @mais_an,

The error message you are encountering is probably a cause of  discrepancy between the issuer specified in the token and the resource you're trying to access.

Checking Issuer Configuration:

  • Check the issuer URL specified in your WIF configuration across both accounts and it matches exactly with the issuer URL in the OIDC token received from Google OpenID.

Checking Service Account Permissions:

  • Verify that the service account you are using has the necessary permissions to access your BigQuery. You can grant the necessary permissions using IAM console or commands.
Top Solution Authors
View all