Fix GCP IAM Sa Workload Errors
When working with GCP IAM, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with sa workload and shows the exact fix.
A Common Mistake
Configuring Workload Identity Federation with an incorrectly formatted OpenID Connect (OIDC) token mapping, causing authentication failures for external workloads.
The incorrect command:
gcloud iam workload-identity-pools providers create-oidc my-provider --location=global --workload-identity-pool=my-pool --issuer-uri=https://token.actions.githubusercontent.com --attribute-mapping="google.subject=sub" --attribute-condition="true"
Error output:
ERROR: (gcloud.iam.workload-identity-pools.providers.create-oidc) INVALID_ARGUMENT: The attribute mapping 'google.subject=sub' is missing the required 'attribute.' prefix. Attribute mappings must be in the format 'google.subject=attribute.sub' for assertions derived from the token.
The Correct Approach
The right way to configure sa workload in GCP IAM:
gcloud iam workload-identity-pools providers create-oidc my-provider --location=global --workload-identity-pool=my-pool --issuer-uri=https://token.actions.githubusercontent.com --attribute-mapping="google.subject=attribute.sub"
Successful result:
Created workload identity pool provider [my-provider].
Attribute mapping:
- google.subject = attribute.sub
- attribute.actor = attribute.actor
- attribute.repository = attribute.repository
The OIDC provider correctly maps the GitHub Actions 'sub' claim to the Google subject.
How to Prevent This
Prefer Workload Identity Federation over service account keys for external workloads. Test attribute mappings with gcloud iam workload-identity-pools providers keys list. Use attribute-condition for additional security filters like 'assertion.Repository_owner == "my-org"'. Monitor federation logs in Cloud Audit Logs under 'principalSubject'.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro