我有一项在AWS上运行的服务,我想通过PubSub到GCP发布该消息,因此我使用Workload Identity Federation实现了这一消息。我的队友建立了一个使用指导的工作负载身份联合会,并以“ external_account”类型生成了JSON文件。我将带有主题ID和项目ID的文件传递给GCP,并试图发布该消息。但是,我在服务帐户访问令牌生成中遇到了错误。
"message did not publish successfully: message did not publish successfully:
rpc error: code = Unauthenticated desc = transport:
per-RPC creds failed due to error: oauth2/google: unable to generate access token:
Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>@<project_id>.iam.gserviceaccount.com:generateAccessToken\":
Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials\":
dial tcp 169.254.169.254:80: i/o timeout”
我不明白这意味着什么。我可以说有一个超时问题,但是为什么呢?有人可以帮我吗?请分享您所拥有的任何想法,非常感谢!
- 更新
我的队友创建了所有步骤,我认为创建了IAM角色之类的东西。我跟随此
I have a service running on AWS, and I want to publish the message via Pubsub to GCP, so I use the workload identity federation to achieve it. My teammate built a workload identity federation with guidance and generated a JSON file with the type of "external_account." I passed this file with topic id and project id to GCP and tried to publish the message. However, I got an error in service account access token generation.
"message did not publish successfully: message did not publish successfully:
rpc error: code = Unauthenticated desc = transport:
per-RPC creds failed due to error: oauth2/google: unable to generate access token:
Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>@<project_id>.iam.gserviceaccount.com:generateAccessToken\":
Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials\":
dial tcp 169.254.169.254:80: i/o timeout”
I don't understand what it means. I can say there's a timeout issue, but why? Can someone help me, please? Please share any ideas you have, much appreciated!
--Update
My teammate created all the steps and I think the things like IAM role is created. I followed this document to verify if it work. And it returns the error above.
发布评论
评论(1)
当尝试使用AWS CodeBuild的GCP进行工作负载身份身份验证时,我确实看到了此错误。对我来说,问题是元数据端点不是CodeBuild中的169.254.169.254.169。取而代之的是http://169.254.170.2julaws_container_credentials_relative_uri。但是,它是所需的用于使用169.254.169.254端点。解决此问题的唯一方法是避免使用元数据端点来通过设置AWS_ACCESS_KEY_ID,AWS_SECRET_ACCEST_KEY作为环境变量来获取CRETS。
aws metadata endadata终止点在codebuild中不可用和 =“ https://github.com/ohsawa0515/aws-ecs-ecs-gcp-workload-indity-federation/tree/main/main” rel =“ nofollow noreferrer”> https://github.com/github.com/ohsawa0515/aws-aws-aws-ecs-gcp -workload-nidentity-federation/tree/main 有更多细节。
I was seeing exactly this error, when attempting Workload Identity authentication with GCP from AWS CodeBuild. For me the issue was that the metadata endpoint is not 169.254.169.254.169 in CodeBuild. Instead it is http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. However, it is required to use the 169.254.169.254 endpoint. The only way I can see to resolve this is to avoid the use of the metadata endpoint to fetch the creds by setting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY as environment variables.
AWS metadata end point not available in CodeBuild and https://github.com/ohsawa0515/aws-ecs-gcp-workload-identity-federation/tree/main have more detail.