adorable-sunset-23574
05/24/2024, 3:05 AMpulumi preview
error: getting stack configuration: opening environment: [0]
Diags: impersonating service account: generating impersonation token: status code 403: {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
"reason": "IAM_PERMISSION_DENIED",
"domain": "<http://iam.googleapis.com|iam.googleapis.com>",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
The token is obtained in pulumi env open.
pulumi env open
{
"environmentVariables": {
"CLOUDSDK_AUTH_ACCESS_TOKEN": "ya29.c.c...",
"GOOGLE_OAUTH_ACCESS_TOKEN": "ya29.c.c...",
"GOOGLE_PROJECT": 119058577882,
"GOOGLE_REGION": "asia-northeast"
},
"gcp": {
"login": {
"accessToken": "ya29.c.c...",
"expiry": "2024-05-24T03:59:43Z",
"project": 119058577882,
"tokenType": "Bearer"
}
},
"pulumiConfig": {
"gcp:accessToken": "ya29.c.c..."
}
}
My operating environment is as follows.
pulumi about
CLI
Version 3.113.3
Go Version go1.22.2
Go Compiler gc
Plugins
KIND NAME VERSION
resource gcp 7.23.0
language nodejs unknown
Host
OS ubuntu
Version 22.04
Arch x86_64
This project is written in nodejs: executable='/home/niida/.nvm/versions/node/v21.4.0/bin/node' version='v21.4.0'
Please help me.adorable-sunset-23574
05/24/2024, 7:07 AMplain-diamond-92898
05/24/2024, 8:53 PMadorable-sunset-23574
05/26/2024, 1:53 PMvalues:
environmentVariables:
CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
GOOGLE_PROJECT: ${gcp.login.project}
GOOGLE_REGION: asia-northeast
gcp:
login:
fn::open::gcp-login:
oidc:
providerId: pulumi
serviceAccount: pulumi@${MY PROJECT}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
workloadPoolId: pulumi-pool
project: ${MY PROJECT NUMBER}
pulumiConfig:
gcp:accessToken: ${gcp.login.accessToken}
gcp:project: ${gcp.login.project}
I have seen the manual for the link.
pulumi env open
command is getting the token, so I am thinking it is not a problem with the OIDC settings, but is there anything I should be aware of?plain-diamond-92898
05/29/2024, 4:44 PMgcp:
login:
fn::open::gcp-login:
oidc:
providerId: pulumi
serviceAccount: pulumi@${MY PROJECT}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
workloadPoolId: pulumi-pool
subjectAttributes
- pulumi.user.login
project: ${MY PROJECT NUMBER}
adorable-sunset-23574
05/31/2024, 7:26 AMcurrentEnvironment.name
is specified, the value to be set for the subject portion of the service account authority is
pulumi:environments:pulumi.organization.login:{MY ORG NAME}:currentEnvironment.name:{MY ENV NAME}
is correct?plain-diamond-92898
06/04/2024, 1:56 AMplain-diamond-92898
06/04/2024, 1:58 AM