Error Code 403 Permission iam.serviceAccounts.getA...

jgnoonan1990 · 02-28-2024 10:53 AM

I am trying to test out getyAccessToken using the following curl command:

curl -X POST -H "Content-Type: application/json" \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/signal-simple-svc-acct@simple-signal-415623.iam.gserviceaccount.com:generateAccessToken

I receive the following error in response:

{
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

The service account (URL Removed by Staff) has the following permissions: Owner, Service Account Token Creator, Service Account OpenID Connect Identity Token Creator, and Workload Identity user. I have no idea why this is happening. Any help would be greatly appreciated. I have a developer account with no organization, and my app is hosted on an AWS EC2 instance. I am using the Cognito/Google integration, although that isn't really in the picture right now. Thanks!

dionv

Hello @jgnoonan1990 ,

Even though your service account has the roles, you may want to consider ensuring the specific permission iam.serviceAccounts.getAccessToken. Attaching here the documentation that you can check for reference.

Error Code 403 Permission iam.serviceAccounts.getAccessToken denied on resource