i'm struggling to get deployments OIDC set up with GCP. i'm getting:

Exception: invoke of gcp:organizations/getProject:getProject failed: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred: 
     	* Error when reading or editing Project "myproject": Get "<https://cloudresourcemanager.googleapis.com/v1/projects/myproject?alt=json&prettyPrint=false>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/pulumi-dply-app-staging@myproject.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}

i found this, which hints that i'm using the wrong values for the workload pool ID and identity provider ID:

I was using project name and full names for provider and pool id. After changing to number and just the short id for both worked like a charm

however, i've been unable to figure out the right format. https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token tells me that it expects

audience

to have the format

<//iam.googleapis.com/projects/><project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>

, which i've tried; i've also tried it without the

<//iam.googleapis.com/>

prefix. i've tried a few other formats as well. can anyone help me figure out the exact format i should be using for those two values?