i'm struggling to get deployments OIDC set up with...
# pulumi-deployments
i'm struggling to get deployments OIDC set up with GCP. i'm getting:
Copy code
Exception: invoke of gcp:organizations/getProject:getProject failed: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred: 
     	* Error when reading or editing Project "myproject": Get "<https://cloudresourcemanager.googleapis.com/v1/projects/myproject?alt=json&prettyPrint=false>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/pulumi-dply-app-staging@myproject.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}
i found this, which hints that i'm using the wrong values for the workload pool ID and identity provider ID:
I was using project name and full names for provider and pool id. After changing to number and just the short id for both worked like a charm
however, i've been unable to figure out the right format. https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token tells me that it expects
to have the format
, which i've tried; i've also tried it without the
prefix. i've tried a few other formats as well. can anyone help me figure out the exact format i should be using for those two values?