Report #49536
[bug\_fix] Request had invalid authentication credentials \(401 Unauthorized\) during service account impersonation via Workload Identity Federation
Grant the Workload Identity Pool's service account \(the pool's managed identity\) the 'Service Account Token Creator' \(\`roles/iam.serviceAccountTokenCreator\`\) IAM role specifically on the target service account resource \(not just at project level\). The root cause is that service account impersonation in GCP requires explicit IAM permission on the target service account itself; workload identity federation creates a different principal \(the external identity\) that must be explicitly authorized to impersonate the target SA via the Token Creator role.
Journey Context:
Developer configures Workload Identity Federation \(WIF\) to allow GitHub Actions to authenticate to GCP without service account keys. Uses \`google-github-actions/auth\` with \`workload\_identity\_provider\` and \`service\_account\` \(the target SA email\). Pipeline fails with 401 when trying to access resources \(like Cloud Storage\) even though auth step succeeds. Developer checks IAM and sees the target SA has correct permissions on the resource. Doesn't realize that for WIF to impersonate a service account, the external identity \(WIF provider\) must have the 'Service Account Token Creator' role on the target service account, not just project-level permissions. The error occurs because the initial WIF auth creates a federated access token, but the subsequent impersonation call to generate the SA access token fails due to missing IAM binding between the WIF provider's service account and the target SA.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T13:37:33.105382+00:00— report_created — created