```Expected OAuth 2 access token, login cookie or ...
# generalp
purple-rainbow-49061
10/07/2024, 6:04 AM Copy code
Expected OAuth 2 access token, login cookie or other valid authentication credential. See <https://developers.google.com/identity/sign-in/web/devconsole-project>.
Details:
[
{
"@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
"domain": "<http://googleapis.com|googleapis.com>",
"metadata": {
"method": "google.cloudresourcemanager.v1.Projects.GetIamPolicy",
"service": "<http://cloudresourcemanager.googleapis.com|cloudresourcemanager.googleapis.com>"
},
"reason": "ACCESS_TOKEN_EXPIRED"
}
]purple-rainbow-49061
10/07/2024, 5:46 PMI did eventually get this working after talking to support, thanks James! I had to update my ESC config, and logout and log back in, and retry a few times, but it did eventually work again.
Copy code
If you had set the accessToken field on the GCP provider explicitly or via pulumiConfig gcp:accessToken: 'token' then this behavior happens because that value is written to state, and state is read but not updated on refresh and destroy operations. If you instead use environment variable to set the access token in ESC, it will be refreshed correctly every time. Here is an example GCP ESC config that will work:
values:
gcp:
login:
fn::open::gcp-login:
project: <NUMERIC project id - wont work with the friendly name>
oidc:
workloadPoolId: <gcp-identity-pool-name>
providerId: pulumi-oidc
serviceAccount: <service-account-name>
environmentVariables:
GOOGLE_CLOUD_PROJECT: ${gcp.login.project}
GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
USE_GKE_GCLOUD_AUTH_PLUGIN: true
USER_PROJECT_OVERRIDE: true
Note the two env vars GOOGLE_OAUTH_ACCESS_TOKEN and CLOUDSDK_AUTH_ACCESS_TOKEN are set- one is for the SDK (used by Pulumi) and the other for gcloud operations, used by GKE31 Views