damp-magazine-59707
09/26/2023, 3:37 PMException: invoke of gcp:organizations/getProject:getProject failed: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred:
* Error when reading or editing Project "myproject": Get "<https://cloudresourcemanager.googleapis.com/v1/projects/myproject?alt=json&prettyPrint=false>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/pulumi-dply-app-staging@myproject.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}
i found this, which hints that i'm using the wrong values for the workload pool ID and identity provider ID:
I was using project name and full names for provider and pool id. After changing to number and just the short id for both worked like a charmhowever, i've been unable to figure out the right format. https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token tells me that it expects
audience
to have the format <//iam.googleapis.com/projects/><project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>
, which i've tried; i've also tried it without the <//iam.googleapis.com/>
prefix. i've tried a few other formats as well. can anyone help me figure out the exact format i should be using for those two values?No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by