New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support gcp identity from aws via workload identity federation #7155
Comments
I had a working session with GCP support and we were able to determine that in order for this to work, we need to grant the |
super interested in this, thanks for digging in. |
@darrendao, did you manage to raise that PR for the doc update? |
Hi @darrendao I have been hitting this error and would like to ask: |
In the project where you want to deploy Cloud Custodian add a principal in the following way:
where:
Then assign the |
Hi @gbanas Thank you for the reply. However, I am trying to use an IAM Role and not an IAM User. |
Ok, I can confirm that this is not a permissions issue. The correction presented by @darrendao seems to fix the problem. |
This correction addresses issue: cloud-custodian#7155
…ustodian/issues/7155 Revert "Update client.py"
Applied fix described here: cloud-custodian#7155
Created a pull request with my personal account (this is my work related account). |
Describe the bug
We're trying to deploy GCP policies from an AWS EC2 instance. Not sure if anyone has successfully done this but we don't see any examples nor any mentions on gitter.
On the GCP side, we had set up a service account with the appropriate Workload identity federation and binding for AWS (https://cloud.google.com/iam/docs/workload-identity-federation). When we try to deploy the policy, we get the following error:
What did you expect to happen?
Able to deploy GCP policies from AWS (workload identity federation)
Cloud Provider
Google Cloud (GCP)
Cloud Custodian version and dependency information
Policy
Relevant log/traceback output
Extra information or context
At first, I thought the issue is with the GCP service account not having the appropriate permissions. However, after giving it "Owner" role permissions, the error is still there. I also verified that if I were to download the service account credential file and use it directly, then there's no issue. So that means the problem must be with how the code tries to exchange AWS cred for GCP cred.
I started digging into the auth code and was able to track down the API call that was returning that error. The API call is
I believe this request is for obtaining GCP credential from AWS credential. Looking at the request details, I noticed that it has the following header
x-goog-user-project:my-project-id
, which is used for setting the quota/billing project id. It is set to my project id by the following line in c7ncloud-custodian/tools/c7n_gcp/c7n_gcp/client.py
Lines 178 to 179 in ebbc7cf
generateAccessToken
API call but we're not authenticated/authorized to that project in the first place (i.e. we're still trying to obtain the credential). Modifying the c7n code fromto
seems to fix it but I don't know if that's what we want to do because it's only the
generateAccessToken
call that throws an error if you specify quota project id. For all other API calls, it is fine. So ultimately, I think we need to update the code to know when to set quota project id rather than just setting it right at the beginning.As part of troubleshooting this issue, I was able to come up with a very simple sample code that throws the same error.
The text was updated successfully, but these errors were encountered: