faint-motherboard-95438
04/17/2024, 10:30 PMvalues:
environmentVariables:
CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
GOOGLE_PROJECT: ${gcp.login.project}
gcp:
login:
fn::open::gcp-login:
oidc:
providerId: projects/my-project/locations/global/workloadIdentityPools/pulumi-oidc-identity-pool/providers/pulumi-oidc-provider
serviceAccount: projects/my-project/serviceAccounts/pulumi-oidc-sa@12345.iam.gserviceaccount.com
workloadPoolId: projects/my-project/locations/global/workloadIdentityPools/pulumi-oidc-identity-pool
project: 12345
And when calling pulumi env open myenv
I get :
Diags: exchanging token: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}
I've tried to add <//iam.googleapis.com/>
as a prefix and some other variants, but always get the same error.
Not sure what's wrong nor how to debug this, -v=10
does not output anything.
Could use some help 🙏red-match-15116
04/18/2024, 1:43 AMred-match-15116
04/18/2024, 1:45 AMred-match-15116
04/18/2024, 1:45 AMfaint-motherboard-95438
04/18/2024, 8:19 AMidentityProvider.workloadIdentityPoolProviderId
instead of the identityProvider.id
) also I had to put only the email for the serviceAccount
not the full id, the error was not really helpful on this and the google documentation linked with it says to use the long ids, so that's kind of really misleading and unhelpul.
Also no way to debug and see the oidc rest request so one could guess by themselves what's wrong even if the error message is useless.
Anyway thanks for having put me in the right direction @red-match-15116red-match-15116
04/18/2024, 2:54 PM