Hi all, I am getting an error "Diags: impersonating service account: generating impersonation token: status code 403" when I try to use my GCP access token using ESC.

pulumi preview
error: getting stack configuration: opening environment: [0] 
Diags: impersonating service account: generating impersonation token: status code 403: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "<http://iam.googleapis.com|iam.googleapis.com>",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

The token is obtained in pulumi env open.

pulumi env open
{
  "environmentVariables": {
    "CLOUDSDK_AUTH_ACCESS_TOKEN": "ya29.c.c...",
    "GOOGLE_OAUTH_ACCESS_TOKEN": "ya29.c.c...",
    "GOOGLE_PROJECT": 119058577882,
    "GOOGLE_REGION": "asia-northeast"
  },
  "gcp": {
    "login": {
      "accessToken": "ya29.c.c...",
      "expiry": "2024-05-24T03:59:43Z",
      "project": 119058577882,
      "tokenType": "Bearer"
    }
  },
  "pulumiConfig": {
    "gcp:accessToken": "ya29.c.c..."
  }
}

My operating environment is as follows.

pulumi about
CLI          
Version      3.113.3
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  gcp     7.23.0
language  nodejs  unknown

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/home/niida/.nvm/versions/node/v21.4.0/bin/node' version='v21.4.0'

Please help me.

Hi @adorable-sunset-23574 - Can you show the definition? We recommend using subject attributes if you aren't using already:https://www.pulumi.com/docs/pulumi-cloud/oidc/provider/#:~:text=Always%20write.-,Pulumi%20ESC,-The%20default%20format Can you also see this? https://www.pulumi.com/docs/pulumi-cloud/oidc/provider/gcp/#:~:text=If%20you%20are,yaml%3E%20as%20shown.

Hi @plain-diamond-92898 Thanks for getting back to me. My definitions are as follows

values:
  environmentVariables:
    CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
    GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
    GOOGLE_PROJECT: ${gcp.login.project}
    GOOGLE_REGION: asia-northeast
  gcp:
    login:
      fn::open::gcp-login:
        oidc:
          providerId: pulumi
          serviceAccount: pulumi@${MY PROJECT}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
          workloadPoolId: pulumi-pool
        project: ${MY PROJECT NUMBER}
  pulumiConfig:
    gcp:accessToken: ${gcp.login.accessToken}
    gcp:project: ${gcp.login.project}

I have seen the manual for the link.

pulumi env open

command is getting the token, so I am thinking it is not a problem with the OIDC settings, but is there anything I should be aware of?

thank you. The issue you are encountering seems to be related to OIDC subject configuration issue as mentioned here. Can you configure subjectAttribute? like snippet below. You have more subject attributes that you can choose from the docs.

gcp:
    login:
      fn::open::gcp-login:
        oidc:
          providerId: pulumi
          serviceAccount: pulumi@${MY PROJECT}.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
          workloadPoolId: pulumi-pool
          subjectAttributes
          - pulumi.user.login
        project: ${MY PROJECT NUMBER}

Thanks @plain-diamond-92898 If

currentEnvironment.name

is specified, the value to be set for the subject portion of the service account authority is

pulumi:environments:pulumi.organization.login:{MY ORG NAME}:currentEnvironment.name:{MY ENV NAME}

is correct?

That is correct!