Skip to content

fix: issue-5388: Fixes GCP Workload Identity Federation auth issue#5392

Merged
Skarlso merged 2 commits intoexternal-secrets:mainfrom
bharath-b-rh:issue-5388
Oct 2, 2025
Merged

fix: issue-5388: Fixes GCP Workload Identity Federation auth issue#5392
Skarlso merged 2 commits intoexternal-secrets:mainfrom
bharath-b-rh:issue-5388

Conversation

@bharath-b-rh
Copy link
Copy Markdown
Contributor

@bharath-b-rh bharath-b-rh commented Oct 1, 2025

Problem Statement

GCP Workload Identity Federation authentication fails when serviceAccountRef is specified.

Related Issue

Fixes #5388

Proposed Changes

The issue is caused due to the incorrect initialization of the WIF audience.

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@bharath-b-rh
issue-5388: Fixes GCP Workload Identity Federation auth issue
fa792af 
Signed-off-by: Bharath B <bhb@redhat.com>
@github-actions github-actions bot added kind/bug Categorizes issue or PR as related to a bug. size/xs labels Oct 1, 2025
@bharath-b-rh bharath-b-rh mentioned this pull request Oct 1, 2025
Closed
Skarlso
Skarlso reviewed Oct 1, 2025
View reviewed changes
pkg/provider/gcp/secretmanager/workload_identity_federation.go
}
config.SubjectTokenSupplier = &k8sSATokenReader{
audience: config.Audience,
audience: w.config.Audience,
Copy link
Copy Markdown
Contributor

@Skarlso Skarlso Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch. I assume there were no tests for this? :D

Copy link
Copy Markdown
Contributor Author

@bharath-b-rh bharath-b-rh Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the manual e2e tests would have caught, not sure when this typo happened :)

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Oct 2, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso moved this to In Review in External Secrets Oct 2, 2025
@Skarlso Skarlso merged commit d21a82e into external-secrets:main Oct 2, 2025
8 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in External Secrets Oct 2, 2025
@bharath-b-rh bharath-b-rh deleted the issue-5388 branch October 6, 2025 04:06
SamuelMolling pushed a commit to SamuelMolling/external-secrets that referenced this pull request Oct 24, 2025
@bharath-b-rh @Skarlso @SamuelMolling
issue-5388: Fixes GCP Workload Identity Federation auth issue (extern…
b80d2d7 
…al-secrets#5392)

Signed-off-by: Bharath B <bhb@redhat.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
@Sollimann Sollimann mentioned this pull request Jan 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

Assignees

No one assigned

Labels

kind/bug Categorizes issue or PR as related to a bug. size/xs

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GCP Workload Identity Federation - invalid token request when using a Service Account

2 participants

@bharath-b-rh @Skarlso