Gitlab 连接到 GCP Workload Identity Federation return invalid_grant
Gitlab connection to GCP Workload Identity Federation return invalid_grant
昨天我看到 Gitlab 已经为 ci/cd 上的作业启用了 OIDC JWT tokens。我知道 CI_JOB_JWT_V2 被标记为 alpha 功能。
我试图在带有 gcloud cli 的 Gitlab runner 上将它与 Workflow Identity Federation(WIF) 一起使用,但出现错误。当尝试通过 STS API 执行此操作时,我遇到了同样的错误。我错过了什么?
{
"error": "invalid_grant",
"error_description": "The audience in ID Token [https://gitlab.com] does not match the expected audience."
}
解码后我的 Gitlab JWT 令牌看起来大部分是这样的(ofc 没有细节)
{
"namespace_id": "1111111111",
"namespace_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz",
"project_id": "<project_id>",
"project_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service",
"user_id": "<user_id>",
"user_login": "<username>",
"user_email": "<user_email>",
"pipeline_id": "456971569",
"pipeline_source": "push",
"job_id": "2019605390",
"ref": "develop",
"ref_type": "branch",
"ref_protected": "true",
"environment": "develop",
"environment_protected": "false",
"jti": "<jti>",
"iss": "https://gitlab.com",
"iat": <number>,
"nbf": <number>,
"exp": <number>,
"sub": "project_path:xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service:ref_type:branch:ref:develop",
"aud": "https://gitlab.com"
}
在 GCP 控制台中,我有一个 WIF 池,其中一个提供商设置为 OIDC,名为 gitlab,发行者 url 来自 https://gitlab.com/.well-known/openid-configuration。
我曾尝试授予服务帐户访问整个池的权限,但没有任何区别。为此 SA 创建的配置如下所示
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<projectnumber>/locations/global/workloadIdentityPools/<poolname>/providers/gitlab",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/gitlab-deployer@<projectid>.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "gitlab_token",
"format": {
"type": "text"
}
}
}
默认情况下,工作负载身份联合 expects the aud claim to contain the URL of the workload identity pool provider。这个 URL 看起来像这样:
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
但是您的令牌似乎使用 https://gitlab.com 作为观众。
重新配置 GitHub 以使用工作负载身份池提供程序 URL 作为受众,或者通过 运行
重新配置池以使用自定义受众
gcloud iam workload-identity-pools providers update-oidc ... \
--allowed-audiences=https://gitlab.com
昨天我看到 Gitlab 已经为 ci/cd 上的作业启用了 OIDC JWT tokens。我知道 CI_JOB_JWT_V2 被标记为 alpha 功能。
我试图在带有 gcloud cli 的 Gitlab runner 上将它与 Workflow Identity Federation(WIF) 一起使用,但出现错误。当尝试通过 STS API 执行此操作时,我遇到了同样的错误。我错过了什么?
{
"error": "invalid_grant",
"error_description": "The audience in ID Token [https://gitlab.com] does not match the expected audience."
}
解码后我的 Gitlab JWT 令牌看起来大部分是这样的(ofc 没有细节)
{
"namespace_id": "1111111111",
"namespace_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz",
"project_id": "<project_id>",
"project_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service",
"user_id": "<user_id>",
"user_login": "<username>",
"user_email": "<user_email>",
"pipeline_id": "456971569",
"pipeline_source": "push",
"job_id": "2019605390",
"ref": "develop",
"ref_type": "branch",
"ref_protected": "true",
"environment": "develop",
"environment_protected": "false",
"jti": "<jti>",
"iss": "https://gitlab.com",
"iat": <number>,
"nbf": <number>,
"exp": <number>,
"sub": "project_path:xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service:ref_type:branch:ref:develop",
"aud": "https://gitlab.com"
}
在 GCP 控制台中,我有一个 WIF 池,其中一个提供商设置为 OIDC,名为 gitlab,发行者 url 来自 https://gitlab.com/.well-known/openid-configuration。
我曾尝试授予服务帐户访问整个池的权限,但没有任何区别。为此 SA 创建的配置如下所示
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<projectnumber>/locations/global/workloadIdentityPools/<poolname>/providers/gitlab",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/gitlab-deployer@<projectid>.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "gitlab_token",
"format": {
"type": "text"
}
}
}
默认情况下,工作负载身份联合 expects the aud claim to contain the URL of the workload identity pool provider。这个 URL 看起来像这样:
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
但是您的令牌似乎使用 https://gitlab.com 作为观众。
重新配置 GitHub 以使用工作负载身份池提供程序 URL 作为受众,或者通过 运行
重新配置池以使用自定义受众gcloud iam workload-identity-pools providers update-oidc ... \
--allowed-audiences=https://gitlab.com