I am attempting to call the https://sts.googleapis.com/v1/token API from AWS Lambda to perform a workload identity federation and getting the error {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
Input:
{ "subjectToken": "[EncodedSigv4token]", "audience": "//iam.googleapis.com/projects/[projectID]/locations/global/workloadIdentityPools/awspool/providers/alpha", "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/cloud-platform", "subjectTokenType": "urn:ietf:params:aws:token-type:aws4_request" }
I am not able to figure out what this error means and how to resolve this. I am following https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#rest to make the STS API call.
The error I was facing was because the IAM Role ARN was too long in my case. Fixed the issue by giving a shorter name to assumed role. After that I was able to use Google workload identity federation successfully.