Open tgoodsell-tempus opened 2 years ago
Thank you so much @tgoodsell-tempus this fixed my issues after loosing SEVERAL HOURS figuring out what was not working.
I have an AWS IAM Role that is impersonating a ServiceAccount using Workload Identity Federation which then impersonates a ServiceAccount that manages Google Workspace so figuring this out was kind of hard until Google pointed me to this PR 🙏 .
@SarahFrench @megan07 Can we have this merged, please?
@sheneska do you think we can merge this? Thanks! 🙏
What: When using the current configurations to do a
impersonated_user_email
using a definedaccess_token
, the call is using the under the hoodsignJwt
method and improperly setting up the impersonated token. This switches to the better supportedgenerateAccessToken
API method.Why: Even with the
iam.serviceAccountTokenCreator
role applied, thesignJwt
method is providing a 403 error when attempting this operation. However, using thegenerateAccessToken
method succeeds as expected. Ultimately this produces the same access token required for the client.