Hello everyone, I try to deploy to GCP via Pulumi Cloud. I want to configure Pulumi to use OpenId Connect to authenticate with Google Cloud. But I got an error. Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist). I walked through the this description: https://www.pulumi.com/docs/pulumi-cloud/access-management/oidc/provider/gcp/ - I created a Workload Identity Pool and Provider - and a Service Account - Gave SA the following roles: - Workload Identity User - Service Account OpenID Connect Identity Token Creator - Service Account Admin - I Granted access to the service account The "Grant access to the service account" description is a little bit obsolete I think. On the GCP I chose the "Grant access using Service Account impersonation" because there I could set what is told in the Pulumi doc. There it is not so clear what kind of value I have to set as "subject" attribute. The "Subject claim examples" section also not clear where I can set these kind of subject identifiers:

pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write

I set the Environment as shown under the "Pulumi ESC" section. However it is not clear where I can copy from the "providerId"? Should it look like this? iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> When I replaced the providerId for this completed url I got this error: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."} what I have to paste in the serviceAccount: <your-service-account> section? The service account mail? Where do the following attributes come from? environmentVariables: GOOGLE_PROJECT: ${gcp.login.project} CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken} pulumiConfig: gcpaccessToken ${gcp.login.accessToken} I found another docs about OIDC configuration between GCP but the environment variables are not exactly the same as in the previous docs? https://www.pulumi.com/registry/packages/gcp/installation-configuration/#authenticate-with-dynamically-generated-credentials In the environment preview I have a lot of unknown value.

Hello @late-hamburger-29965, did you find any answers? I think I'm having the same problem.