This page describes resolutions for common Workload Identity Federation errors.
Google Cloud API does not accept the credential issued from SecurityTokenService
If you encounter the following error, you might be attempting to access a
Google Cloud API directly using a credential issued from
SecurityTokenService
instead of exchanging it for a service account credential
first.
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
}
}
To resolve this error, exchange the credential minted from the
SecurityTokenService
for a service account token by calling
GenerateAccessToken
.
For more information, see Obtaining short-lived credentials with identity
federation.
Allowlist an identity provider for use with Workload Identity Federation
If you attempt to configure a disallowed identity provider as a workload identity pool provider, you encounter the following error:
FAILED_PRECONDITION: Precondition check failed.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- description: "Org Policy violated for value: '{PROVIDER}'."
subject: orgpolicy:projects/{PROJECT}/locations/global/workloadIdentityPools/{POOL}
type: constraints/iam.workloadIdentityPoolProviders
To resolve this issue, follow the directions on Restrict identity provider configuration to allowlist the identity provider for use with Workload Identity Federation.
Input JWK is not in a valid json format
If you are configuring an OIDC provider and you receive the error Input JWK is
not in a valid json format
, it can be because endpoints that are secured with
self-signed certificates aren't supported by Google Cloud. Specifically,
the x5c
and x5t
fields aren't supported and must be removed from the OIDC
JWK.
To resolve issues with your JWK, do the following:
Edit your JWK and remove the
x5c
(X.509 Certificate Chain) andx5t
(X.509 Certificate SHA-1 Thumbprint) fields.{ "kty": "RSA", "use": "sig", "kid": "example-key-id", "alg": "RS256", "n": "base64url-modulus", "e": "AQAB" }
Verify that the remaining JWK fields are properly formatted as described in the OIDC specification.
Configure the OIDC provider with the updated JWK.
Error connecting to the given credential's issuer
If you receive the following error, it might be because Google Cloud is unable to fetch your IdP's OIDC metadata document or JWKS:
{
"error": "invalid_grant",
"error_description":"Error connecting to the given credential's issuer."
}
This error usually occurs because the endpoints aren't configured to be reachable from the public internet. To resolve this error, check that the OIDC endpoint is publicly available and compliant with the OIDC specification. For more information, see Preparing the external identity provider.
If you still receive the error, check that the token issuer, the iss
claim in
the token correct.