This page describes resolutions for common workload identity federation errors.
Google Cloud API does not accept the credential issued from SecurityTokenService
If you encounter the following error, you might be attempting to access a
Google Cloud API directly using a credential issued from
SecurityTokenService instead of exchanging it for a service account credential
first.
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
}
}
To resolve this error, exchange the credential minted from the
SecurityTokenService for a service account token by calling
GenerateAccessToken.
For more information, see Obtaining short-lived credentials with identity
federation.
Allowlist an identity provider for use with workload identity federation
If you attempt to configure a disallowed identity provider as a workload identity pool provider, you encounter the following error:
FAILED_PRECONDITION: Precondition check failed.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- description: "Org Policy violated for value: '{PROVIDER}'."
subject: orgpolicy:projects/{PROJECT}/locations/global/workloadIdentityPools/{POOL}
type: constraints/iam.workloadIdentityPoolProviders
To resolve this issue, follow the directions on Restrict identity provider configuration to allowlist the identity provider for use with workload identity federation.