This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using workload Identity federation AWS ECS

Posted 3 weeks ago
TridentChase
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

How would one go about setting up workload identity federation for AWS ECS (container service)? 

IMDS url for EC2 instance - http://169.254.169.254/latest/meta-data/iam/security-credentials 

URL for ECS - http://169.254.170.2/get-credentials

When I try to use the config file that's generated after setting up WIF as per Google docs, I see "Failed to retrieve AWS credentials" exception in my application running on AWS ECS.

I used java gcp sdk to retrieve google credentials - 

String base64EncodedGCPCredentials = credentialsMap.get("base64EncodedGCPCredentials")

GoogleCredentials credentials = GoogleCredentials.fromStream(new ByteArrayInputStream(Base64.getDecoder().decode(base64EncodedGCPCredentials)));
Dns dns = DnsOptions.newBuilder()
.setCredentials(credentials)
.setProjectId(projectId)
.build()
.getService();

Any pointers on how to handle authentication using WIF with AWS ECS?

2 2 97
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
MaxImbrox
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @TridentChase.,

have you followed the GCP official documentation? 
--> https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds

Posted on --/--/---- --:-- AM
TridentChase
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @MaxImbrox ,

Yes I did. I see this 403 error when I try to use the service : 

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/cloud-dns@gcp-tcore.iam.gservice...

{
  "error": {
   "code": 403,
   "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
   "errors": [
    {
     "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
     "domain": "global",
     "reason": "forbidden"
    }
   ],
   "status": "PERMISSION_DENIED",
   "details": [
    {
     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
     "reason": "IAM_PERMISSION_DENIED",
     "domain": "iam.googleapis.com",
     "metadata": {
      "permission": "iam.serviceAccounts.getAccessToken"
     }
    }
   ]
  }
 }

The service account being used does have iam.serviceAccounts.getAccessToken and I've double checked it.