Documentation: Improve information on using ID Tokens with GCP
Problem to solve
A GitLab.com customer raised an emergency ticket (see details here). It was identified that they are affected by the removal of JSON Web Tokens which was announced in 15.9, and they are still using CI_JOB_JWT_V2
. During a courtesy call to examine the behaviour, we reviewed the existing documentation for ID tokens for security management, and I made suggestions on how to implement this for their workflow.
The customer is continuing to encounter some errors related to the audience expected from GCP and what is provided as aud
for the ID Token. This is a specific error they encounter:
om.google.auth.oauth2.OAuthException: Error code invalid_grant: The audience in ID Token [//iam.googleapis.com/projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/<provider>] does not match the expected audience.
Using this documentation as a suggestion, they ensured that the relevant pool, provider, and attribute mapping exists. Some documentation clarity might be needed on the use of Allowed audiences
and how this should match aud
from GitLab.
The customer used multiple allowed audiences including https://gitlab.com
, https://iam.googleapis.com
, (and non-https:// versions), \\iam.googleapis.com
, and a full audience path such as //iam.googleapis.com/projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/<provider>
and https://iam.googleapis.com/projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/<provider>
. These appear to be insufficient to accomplish the setup as the error continues to be encountered.
Further details
Proposal
Update documentation with additional examples, and potentially include screenshots to show what this should look like in GCP IAM.
Who can address the issue
Likely grouppipeline security?