docs: add optional serviceAccountTokenCreator role for WIF + Data Explorer (GCP)#1568
Merged
Merged
Conversation
…rer on GCP When WIF credentials are used for Data Explorer, Platform has no embedded private key and must call the GCP IAM signBlob API to generate presigned URLs. roles/iam.serviceAccountTokenCreator on the SA itself is required for this to succeed. Without it, file viewing and download fail silently with a signing error. Running pipelines is unaffected. Updates both Cloud and Enterprise Google Cloud Batch docs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Switch from self-grant (serviceAccount:SA_EMAIL) to the WIF pool principal (principalSet://...) for the serviceAccountTokenCreator binding. This scopes the permission to federated identities from the pool rather than the SA itself, matching what actually calls signBlob at runtime and making it easier to narrow scope per workspace later. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jonmarti
reviewed
Jun 15, 2026
jonmarti
reviewed
Jun 15, 2026
jonmarti
reviewed
Jun 15, 2026
jonmarti
approved these changes
Jun 15, 2026
jonmarti
left a comment
jonmarti
left a comment
Contributor
There was a problem hiding this comment.
LGTM. Technical content is accurate and matches the diagnosis we landed on in the Slack thread with the customer that hit this:
- ✅ Correct role:
roles/iam.serviceAccountTokenCreator - ✅ Correct binding shape:
--memberis the WIF principal (not the SA self-grant workaround the customer initially applied) - ✅ Symmetric with the step 5
workloadIdentityUserbinding on the same SA - ✅ Correctly flagged as optional — pipelines work without it; only Data Explorer file content access triggers
signBlob
Only two small suggestions left
christopher-hakkaart
approved these changes
Jun 16, 2026
christopher-hakkaart
left a comment
christopher-hakkaart
left a comment
Member
There was a problem hiding this comment.
Editorial review is 👍
- Add workspace-scoping note for serviceAccountTokenCreator binding (mirrors step 5's "all pool identities or a specific workspace" framing) - Replace vague "signing error" with exact log phrases for searchability: SigningException + iam.serviceAccounts.signBlob permission denial Applies to both cloud and enterprise GCB docs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
Made changes - thanks @jonmarti . We are good to go? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
roles/iam.serviceAccountTokenCreatoris optional — required only when the same WIF credential is used for Data Explorer file preview/downloadWhy
With a stored SA JSON key, Platform signs presigned URLs locally using the embedded private key. With WIF there is no local private key, so Platform calls the GCP IAM
signBlobAPI instead. That API requiresiam.serviceAccounts.signBlob, which is not included inroles/iam.workloadIdentityUser. Without this role, Data Explorer returns an opaque error code on file open/download.Changes
platform-cloud/docs/compute-envs/google-cloud-batch.mdplatform-enterprise_docs/compute-envs/google-cloud-batch.md🤖 Generated with Claude Code