https://pulumi.com logo
Join Slack
Powered by
Hello here, I'm trying to use the gcp oidc with es...
# esc
f
Hello here, I'm trying to use the gcp oidc with esc (https://www.pulumi.com/docs/pulumi-cloud/oidc/gcp/) but I'm stuck with an error I'm not sure how to debug Here's my esc env
Copy code
values:
      environmentVariables:
        CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
        GOOGLE_PROJECT: ${gcp.login.project}
      gcp:
        login:
          fn::open::gcp-login:
            oidc:
              providerId: projects/my-project/locations/global/workloadIdentityPools/pulumi-oidc-identity-pool/providers/pulumi-oidc-provider
              serviceAccount: projects/my-project/serviceAccounts/pulumi-oidc-sa@12345.iam.gserviceaccount.com
              workloadPoolId: projects/my-project/locations/global/workloadIdentityPools/pulumi-oidc-identity-pool
            project: 12345
And when calling 
pulumi env open myenv
I get :
Copy code
Diags: exchanging token: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}
I've tried to add 
<//iam.googleapis.com/>
as a prefix and some other variants, but always get the same error. Not sure what's wrong nor how to debug this, 
-v=10
does not output anything. Could use some help 🙏
r
In your OIDC setup do you have your org name as the Audience? This step in the docs: > In the Audiences section, select the Allowed audiences radio button. Provide the name of your Pulumi organization as the value, then click Continue. The error reads to me like something is misconfigured in the workload identity pool and provider.
The ESC docs also say it should be the short id for the providerId and workloadPoolId https://www.pulumi.com/docs/esc/providers/gcp-login/#gcploginoidc
Seems like your code is using long IDs?
f
Indeed I needed the short ids, (which are hidden in something like 
identityProvider.workloadIdentityPoolProviderId
instead of the 
identityProvider.id
) also I had to put only the email for the 
serviceAccount
not the full id, the error was not really helpful on this and the google documentation linked with it says to use the long ids, so that's kind of really misleading and unhelpul. Also no way to debug and see the oidc rest request so one could guess by themselves what's wrong even if the error message is useless. Anyway thanks for having put me in the right direction @red-match-15116
r
Appreciate the feedback!
10 Views
Open in Slack
PreviousNext
Powered by