I am trying to test out getyAccessToken using the following curl command:
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/signal-simple-svc-acct@simple-signal-415623.iam.gserviceaccount.com:generateAccessToken
I receive the following error in response:
{
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
The service account (URL Removed by Staff) has the following permissions: Owner, Service Account Token Creator, Service Account OpenID Connect Identity Token Creator, and Workload Identity user. I have no idea why this is happening. Any help would be greatly appreciated. I have a developer account with no organization, and my app is hosted on an AWS EC2 instance. I am using the Cognito/Google integration, although that isn't really in the picture right now. Thanks!
Hello @jgnoonan1990 ,
Even though your service account has the roles, you may want to consider ensuring the specific permission iam.serviceAccounts.getAccessToken
. Attaching here the documentation that you can check for reference.