{"error":{"code":401,"message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","status":"UNAUTHENTICATED",}}
{"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
如果您從 SecurityTokenService API 要求權杖時收到 429 Too Many Requests 錯誤,表示您的 Google Cloud 專案已超出 API 的速率配額限制。
錯誤訊息類似於下列內容:
{"error":"quota_exceeded","error_description":"The request was throttled due to rate limit: sts.googleapis.com/requests. Please retry after a few seconds."}
如要解決這個問題,請找出錯誤訊息中提供的 sts.googleapis.com/requests 指標名稱,在 IAM 配額頁面中找到對應的指標名稱,確認使用百分比超過配額,然後要求提高配額。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Troubleshoot Workload Identity Federation\n\nThis page describes resolutions for common [Workload Identity Federation](/iam/docs/workload-identity-federation)\nerrors.\n\nGoogle Cloud API does not accept the credential issued from `SecurityTokenService`\n----------------------------------------------------------------------------------\n\nAccess tokens returned by the\n[`SecurityTokenService`](/iam/docs/reference/sts/rest/v1/TopLevel/token) API\nare [federated access tokens](/docs/authentication/token-types#federated).\nAlthough most Google Cloud APIs support identity federation, certain API\nmethods might have limitations. For a list of limitations, see\n[Identity federation: products and limitations](/iam/docs/federated-identity-supported-services).\n\nIf you encounter the following error, you might be attempting to use a\nfederated access token with a service that doesn't support them. \n\n {\n \"error\": {\n \"code\": 401,\n \"message\": \"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.\",\n \"status\": \"UNAUTHENTICATED\",\n }\n }\n\nTo resolve this error, exchange the federated access token for an unrestricted\naccess token by calling\n[`GenerateAccessToken`](/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken).\nFor more information, see [Obtaining short-lived credentials with identity\nfederation](/iam/docs/using-workload-identity-federation).\n\nAllowlist an identity provider for use with Workload Identity Federation\n------------------------------------------------------------------------\n\nIf you attempt to configure a disallowed identity provider as a workload\nidentity pool provider, you encounter the following error: \n\n FAILED_PRECONDITION: Precondition check failed.\n - '@type': type.googleapis.com/google.rpc.PreconditionFailure\n violations:\n - description: \"Org Policy violated for value: '{PROVIDER}'.\"\n subject: orgpolicy:projects/{PROJECT}/locations/global/workloadIdentityPools/{POOL}\n type: constraints/iam.workloadIdentityPoolProviders\n\nTo resolve this issue, follow the directions on\n[Restrict identity provider configuration](/iam/docs/manage-workload-identity-pools-providers#restrict)\nto allowlist the identity provider for use with Workload Identity Federation.\n\nInput JWK is not in a valid json format\n---------------------------------------\n\nIf you are configuring an OIDC provider and you receive the error `Input JWK is\nnot in a valid json format`, it can be because endpoints that are secured with\nself-signed certificates aren't supported by Google Cloud. Specifically,\nthe `x5c` and `x5t` fields aren't supported and must be removed from the OIDC\nJWK.\n\nTo resolve issues with your JWK, do the following:\n\n1. Edit your JWK and remove the `x5c` (X.509 Certificate Chain) and `x5t`\n (X.509 Certificate SHA-1 Thumbprint) fields.\n\n {\n \"kty\": \"RSA\",\n \"use\": \"sig\",\n \"kid\": \"example-key-id\",\n \"alg\": \"RS256\",\n \"n\": \"base64url-modulus\",\n \"e\": \"AQAB\"\n }\n\n2. Verify that the remaining JWK fields are properly formatted as described in\n the [OIDC specification](https://openid.net/specs/openid-connect-core-1_0.html#JWKS).\n\n3. Configure the OIDC provider with the updated JWK.\n\nError connecting to the given credential's issuer\n-------------------------------------------------\n\nIf you receive the following error, it might be because Google Cloud is unable to\nfetch your IdP's OIDC metadata document or JWKS: \n\n {\n \"error\": \"invalid_grant\",\n \"error_description\":\"Error connecting to the given credential's issuer.\"\n }\n\nThis error usually occurs because the endpoints aren't configured to be\nreachable from the public internet. To resolve this error, check that the OIDC\nendpoint is publicly available and compliant with the OIDC specification. For\nmore information, see [Preparing the external identity provider](/iam/docs/configuring-workload-identity-federation#oidc).\n\nIf you still receive the error, check that the token issuer, the `iss` claim in\nthe token correct.\n\nMapped google.subject claim exceeds the 127 bytes limit\n-------------------------------------------------------\n\nIf you receive the following error, it's because the incoming credentials received by the\n[`SecurityTokenService`](/iam/docs/reference/sts/rest/v1/TopLevel/token) API\ngenerate a `google.subject` claim that exceeds the character limit: \n\n {\n \"error\": \"invalid_request\",\n \"error_description\":\"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes.\"\n }\n\nTo resolve this issue, use the [`extract` function](/iam/docs/conditions-attribute-reference#extract)\nto remove unnecessary characters and extract a unique subject identifier from a\nlonger claim, for example: \n\n```\ngoogle.subject=assertion.sub.extract('/users/{sub_claim}')\n```\n\nError 429 Too Many Requests\n---------------------------\n\nIf you receive the error `429 Too Many Requests`, while requesting a token from the [`SecurityTokenService`](/iam/docs/reference/sts/rest/v1/TopLevel/token) API, it\nmeans that your Google Cloud project has exceeded its rate quota limit for the\nAPI.\n\nThe error includes a message similar to the following: \n\n {\n \"error\": \"quota_exceeded\",\n \"error_description\":\"The request was throttled due to rate limit: sts.googleapis.com/requests. Please retry after a few seconds.\"\n }\n\nTo resolve this issue, identify the `sts.googleapis.com/requests` metric name\nprovided in the error message, locate the corresponding metric name in the\n[IAM Quota page](https://console.cloud.google.com/iam-admin/quotas), confirm\nthe usage percentage exceeds the quota and request a quota increase."]]
