I need to create Google Chronicle API instance using workload identity but I am getting permission denied error “unable to acquire impersonated credentials”.
iam.serviceAccountTokemCreator has already been provided.
Still getting the error.
Request more insights
+10
Need more info, but here are the key areas to investigate:
The Principal: Who or what is trying to impersonate the service account? The roles/iam.serviceAccountTokenCreator role must be granted to the correct principal (the "actor") on the target service account (the one with Chronicle API permissions). The actor depends on your environment:
serviceAccount:<PROJECT_ID>.svc.id.goog[<KSA_NAMESPACE>/<KSA_NAME>].principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/* (or more specific attributes/groups).soar-python@<SOAR-PROJECT>.iam.gserviceaccount.com) needs roles/iam.serviceAccountTokenCreator on your Chronicle-enabled service account.Missing roles/iam.workloadIdentityUser: This role is often required in addition to roles/iam.serviceAccountTokenCreator for Workload Identity scenarios, especially with GKE and Workload Identity Federation. Grant this role to the same principal that gets serviceAccountTokenCreator on the target service account.
Target Service Account Permissions: Ensure the service account you are trying to impersonate itself has the necessary permissions to access the Chronicle API (e.g., roles/chronicle.editor or roles/chronicle.viewer). The impersonation error is about getting the token, but once obtained, the token will only have the permissions of the impersonated account.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.