1

I would like to access AWS resource with GCP credentials from my local computer. My code works fine if I run everything in GCP from a cloud function, but this also should work locally.

If I run my code locally I got the following error which says taht my generated JWT token is invalid.

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Error normalizing issuer

I have a service Account keyfile on my local machine. I create a JWT token from this file:

def create_jwt_token(keyfile: str, audience: str):
  jwt_creds = google_auth_jwt.Credentials.from_service_account_file(
    keyfile, audience=audience)
  request = ga_requests.Request()
  jwt_creds.refresh(request)
  return jwt_creds.token.decode('utf-8')

The issuer is equal the serviceaccount email address. Fore the audience I set the gcp project-id.

Here is the code for generating AWS credentials:

def generate_aws_credentials(arn: str, token: str, role_session_name: str):
  sts = boto3.client('sts', region_name="eu-west-1")
  try:
    result = sts.assume_role_with_web_identity(
        RoleArn=arn,
        WebIdentityToken=token,
        RoleSessionName=role_session_name)
  except Exception as ex:
    raise Exception(f"unable to create aws identity token. {ex}")
  return result

As I said, the code works from within gcp but not locally. I am not able to see the difference between the tokens in gcp and local.

Nimantha
  • 6,405
  • 6
  • 28
  • 69
soa
  • 263
  • 2
  • 5
  • 17
  • 2
    Didn't read your question fully but saw it and was reminded of my buddy's post on the topic. Hope it helps: https://medium.com/google-cloud/exchange-aws-credentials-for-gcp-credentials-using-gcp-sts-service-88dd40c1f68c – DazWilkin Jul 23 '21 at 15:52
  • 1
    Thank you, but the article is about workload identity federation. This works very well. My problem is with AWS web identity federation if I try to run everything on a local machine. – soa Jul 26 '21 at 15:28
  • @soa were u able to solve this issue? – mehere Dec 03 '21 at 04:26

1 Answers1

0

I had the same issue and found that the above code signs a JWT using the referenced service account key, but that JWT is not issued by Google.

Try gcloud auth activate-service-account --key-file=./YOUR/KEY.json --audiences=<AUDIENCE and you get a very different JWT with "iss": "https://accounts.google.com",

That can be done in Python too I'm sure - sorry I don't have a sample.

Now my issue is a mismatch of audiences against the OIDC provider configured in AWS.. separate issue.

Daniel H
  • 1
  • 2