[SOLVED] Forbidden Error with Google Cloud Storage When Using Tokens from Workload Identity Federation with Descope

Forbidden Error with Google Cloud Storage When Using Tokens from Workload Identity Federation with Descope

I'm implementing Workload Identity Federation using Descope as the Identity Provider (IdP) to access Google Cloud Storage (GCS). I've successfully exchanged a Descope JWT for a Google access token but am encountering a 403 Forbidden error when attempting to read objects from a GCS bucket.

Here are the steps and configurations I've implemented:

Authentication with Descope: Completed successfully.
Token Exchange: Successfully exchanged the Descope JWT for a Google token using the STS endpoint with the following payload (details anonymized for security):

POST https://sts.googleapis.com/v1/token
Content-Type: application/json
{
    "audience": "//iam.googleapis.com/projects/<my_project_id>/locations/global/workloadIdentityPools/descopeidp/providers/descope-default-oidc",
    "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
    "scope": "https://www.googleapis.com/auth/devstorage.read_only",
    "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
    "subjectToken": "<descope_session_jwt>",
    "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt"
}

Error Message: Despite a successful token exchange, I receive the following error when using the Google token to access GCS:

{
    "error": {
        "code": 403,
        "message": "Caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).",
        ...
    }
}

Service Account Permissions: The gcs-read service account has roles/storage.objectViewer role assigned.
Workload Identity Federation: The federation seems to be correctly configured, and IAM policy bindings are verified.

Troubleshooting Steps Taken:

Confirmed that the gcs-read Google service account has the roles/storage.objectViewer role assigned.
Ensured correct mapping between the federated identity and the gcs-read service account.
Validated IAM policy bindings and their correctness.
Checked that the GCS bucket is located within the same project as the gcs-read service account and is correctly configured.

Despite the correct configuration and successful token exchange, I am unable to access the GCS bucket as intended.

UPD. I understand that the error implies insufficient permissions or incorrect scope. To clarify:

IAM Role Binding: I ensured the roles/storage.objectViewer role is bound to the gcs-read service account. This binding was performed at the project level in the Google Cloud Console under IAM & Admin > IAM.

Scopes During Token Generation: The scope https://www.googleapis.com/auth/devstorage.read_only was explicitly requested when generating the token using the STS endpoint.

Resource Access: The GCS bucket I'm trying to access is within the same project where the gcs-read service account has the object viewer role. There are no bucket-specific IAM policies that would override project-level permissions.

Workload Identity Federation: The federation is configured to allow the Descope-provided identity to assume the gcs-read service account, which should inherit its permissions.

Given these details, I believe the necessary roles and scopes are in place. Could there be other minor details or specific configurations within the Google Cloud setup that I might be overlooking? I appreciate any additional insights.

Solution

I did not find the piece of documentation but when I tested the Alpha preview, there was 1 additional step after the STS token.

Get the STS token as you did
NEW: Generate an access token with this STS token by calling this API

Then, use this new token to download your file.

I'm sure you can confirm that by digging into the Google Cloud Client library, but I can't do it, I'm currently in transit in an airport!