I'm trying to set up integration between Bitbucket Pipelines and GCP using OIDC to access GCP resources (e.g., list GCP storage buckets). Despite following all the steps outlined in the Atlassian Community guide, I encounter the following error:
ERROR: (gcloud.storage.buckets.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\n "error": {\n "code": 403,\n "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",\n "status": "PERMISSION_DENIED",\n "details": [\n {\n "@type": "type.googleapis/google.rpc.ErrorInfo",\n "reason": "IAM_PERMISSION_DENIED",\n "domain": "iam.googleapis",\n "metadata": {\n "permission": "iam.serviceAccounts.getAccessToken"\n }\n }\n ]\n }\n}\n')
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account, run:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Steps I followed:
Created a Workload Identity Pool in GCP:
gcloud beta iam workload-identity-pools create bitbucket-pipelines-oidc-demo \ --location="global" \ --description="A workload identity pool for Bitbucket Pipelines" \ --display-name="bitbucket-pipelines-oidc-demo"Created an OIDC Provider
gcloud beta iam workload-identity-pools providers create-oidc bitbucket-oidc-idp \ --workload-identity-pool="bitbucket-pipelines-oidc-demo" \ --issuer-uri=".0/workspaces/my-workspace/pipelines-config/identity/oidc" \ --location="global" \ --attribute-mapping="google.subject=assertion.sub,attribute.workspace_uuid=assertion.workspaceUuid" \ --allowed-audiences="ari:cloud:bitbucket::workspace/my-workspace-uuid"Created a Service Account in GCP
gcloud iam service-accounts create my-service-account \ --display-name="Service account for OIDC integration"Bound the Service Account to the Workload Identity Pool.
gcloud iam service-accounts add-iam-policy-binding [email protected] \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis/projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/attribute.workspace_uuid/my-workspace-uuid"Granted Permissions to the Service Account
gcloud projects add-iam-policy-binding my-project \ --member="serviceAccount:[email protected]" \ --role="roles/storage.viewer"Apply (
serviceAccountTokenCreator)gcloud projects add-iam-policy-binding my-project \ --member="serviceAccount:[email protected]" \ --role="roles/iam.serviceAccountTokenCreator"Configured the Bitbucket Pipeline. Here is my bitbucket-pipelines.yml file
image: google/cloud-sdk:alpine
pipelines:
default:
- step:
name: Test OIDC with GCP
oidc: true
script:
# Save OIDC token to a file
- echo -n "${BITBUCKET_STEP_OIDC_TOKEN}" > /tmp/gcp_access_token.out
# Create GCP credentials
- |
gcloud iam workload-identity-pools create-cred-config \
projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/providers/bitbucket-oidc-idp \
--service-account="[email protected]" \
--output-file=/tmp/sts-creds.json \
--credential-source-file=/tmp/gcp_access_token.out
# Export credentials
- export GOOGLE_APPLICATION_CREDENTIALS=/tmp/sts-creds.json
# Authenticate and list buckets
- gcloud auth login --cred-file=/tmp/sts-creds.json
- gcloud storage buckets list
Observed Issue:
The pipeline fails at the step where it tries to list the buckets, returning the error mentioned above.
It appears that the service account does not have sufficient permissions to impersonate itself or access the iam.serviceAccounts.getAccessToken permission.
Questions:
What am I missing in the configuration? Are there additional permissions or roles required?
Is the issue related to how the credentials are generated or passed in the pipeline?
Could there be a problem with the OIDC token itself, and how can I debug it?