![](/img/trans.png)
[英]Gitlab connection to GCP Workload Identity Federation return invalid_grant
[英]Gitlab connection to GCP Workload Identity returning invalid_grant on a JWKs parsing error
我已經使用本地 gitlab 安裝設置了工作負載身份聯合,提供者狀態在控制台中顯示為“已啟用”並且健康。
我沒有過去的部分具體是這樣的:
- |
PAYLOAD=$(cat <<EOF
{
"audience": "//iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/providers/${PROVIDER_ID}",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
"subjectToken": "${CI_JOB_JWT_V2}"
}
EOF
)
- echo $PAYLOAD
- |
FEDERATED_TOKEN=$(curl -X POST "https://sts.googleapis.com/v1/token"
--header "Accept: application/json"
--header "Content-Type: application/json"
--data "${PAYLOAD}"
)
- echo $FEDERATED_TOKEN
與Gitlab 工作示例相比,這似乎足夠正確,如果我更改觀眾,我會收到錯誤,即我的觀眾值不正確,因此它似乎至少可以與服務器對話。
這是FEDERATED_TOKEN
的錯誤響應:
{"error":"invalid_grant","error_description":"Parsing error for JWKs: [Line 0, column 0: Unexpected end of stream : expected '{']"}
我試過用谷歌搜索Parsing error for JWKs
但沒有學到任何有用的東西,有人有任何指導嗎?
提前致謝!
添加或刪除--header "Accept: application/json"
沒有多大作用。 subjectToken
似乎是正確的:
標題部分:
{"alg":"RS256","kid":"[REDACTED]","typ":"JWT"}
有效載荷部分:
{"namespace_id":"46","namespace_path":"devops","project_id":"682","project_path":"devops/terraform-source","user_id":"REDACTED","user_login":"chase","user_email":"REDACTED","pipeline_id":"124241","pipeline_source":"push","job_id":"1131468","ref":"workload-identity-debugging","ref_type":"branch","ref_protected":"false","jti":"REDACTED-1d58-43f6-9b92-72914b937023","iss":"REDACTED","iat":REDACTED,"nbf":REDACTED,"exp":REDACTED,"sub":"project_path:devops/terraform-source:ref_type:branch:ref:workload-identity-debugging","aud":"REDACTED"}
簽名很難解密/調試。
標頭、有效負載和簽名采用 base64 格式,並使用.
(點)。
在嘗試直接使用gcloud
獲取訪問令牌時,我注意到另一個有趣的行為:
$ echo ${CI_JOB_JWT_V2} > .ci_job_jwt_file
$ gcloud iam workload-identity-pools create-cred-config "projects/REDACTED/locations/global/workloadIdentityPools/${POOL_ID}/providers/${PROVIDER_ID}" --service-account="${SERVICE_ACCOUNT_EMAIL}" --output-file=.gcp_temp_cred.json --credential-source-file=.ci_job_jwt_file
Created credential configuration file [.gcp_temp_cred.json].
$ gcloud auth login --cred-file=`pwd`/.gcp_temp_cred.json
Authenticated with external account credentials for: [terraformer@REDACTED.iam.gserviceaccount.com].
Your current project is [None]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* terraformer@REDACTED.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
$ echo "GOOGLE_APPLICATION_CREDENTIALS=$(gcloud auth print-access-token)"
ERROR: (gcloud.auth.print-access-token) ("Error code invalid_grant: Parsing error for JWKs: [Line 0, column 0: Unexpected end of stream : expected '{']", '{"error":"invalid_grant","error_description":"Parsing error for JWKs: [Line 0, column 0: Unexpected end of stream : expected \'{\']"}')
GOOGLE_APPLICATION_CREDENTIALS=
這似乎與我直接從 sts 看到的相同。
干杯,追逐
原來這些是 Google Workload Identity Federation 無法 1)連接到您的發行者(在我的情況下是 Gitlab)2)解析jwks_uri
的症狀。
從外部憑證的驗證中,我們可以學到兩件事:
$ISSUER/.well-known/openid-configuration
AKA 發現文檔建立了連接(因此請確保可訪問)jwks_uri
的值進行了后續請求(確保也可以訪問) 最后,如果您的jwks_uri
返回 500 錯誤, 這里將討論您應該在openid_connect_signing_key
(在rails-secret
中找到)周圍添加雙引號或將\n
替換為多行。 重新啟動我的 gitlab 部署后,我能夠點擊jwks_uri
(工作負載身份也是如此) - 之后我能夠生成訪問令牌。
問題解決了!
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.