I'm trying to set up a connection from my EC2 instance in AWS to a GCP instance using Workload Identity Federation. I've attached the aws-elasticbeanstalk-ec2-role to my EC2 instance, which is the role intended for our upcoming migration. I'm utilizing the google-auth-library for Node.js to make the connection (using client-provided code).
However, when I execute `const client = await auth.getIdTokenClient(cloudRunUrl)` on the EC2 instance, I encounter a 400 HTTP status error with the message: *Error code invalid_grant: Received invalid AWS response of type InvalidClientTokenId with error message: The security token included in the request is invalid.*
I've gone through several steps to troubleshoot this issue, including ensuring that the correct role is attached to the EC2 instance, verifying the trust policy for aws-elasticbeanstalk-ec2-role, checking the GCP credential JSON file, confirming IMDSv2 is enabled, and looking at CloudTrail logs for the AssumeRole event. Despite these efforts, I have not found a solution. Any guidance or suggestions would be greatly appreciated!
1 Answer
It sounds like you've covered a lot of bases already! Since everything seems correctly set up, I would double-check the trust policy on the AWS role. Workload Identity Federation is quite strict; even a small mismatch in the role ARN, audience, or any specific conditions can lead to rejection from GCP, even if AWS generates the token properly. Make sure everything matches up exactly how GCP requires it. Let me know if you need examples or further guidance on that!
Could you share a resource that details what the Trust Policy for the AWS role should look like?