OIDC issuer url with Google Cloud

GitLab CI/CD
1

Problem to solve

Describe your question in as much detail as possible:
I am setting up OIDC integration with Google Cloud. One item that I have not nailed down is the issuer URL.
According to the GitLab’s documentation [1], the issuer URL should be:
https://auth.gcp.gitlab.com/oidc/<top-level-group-name>.
When I configure my Google Cloud Workload Identity Provider with this value, my pipeline fails with:

{"error":"invalid_grant","error_description":"The issuer in ID Token https://gitlab.com does not match the expected ones: https://auth.gcp.gitlab.com/oidc/<top-level-group-name>."}

If I change my Google Cloud Workload Identity Provider to use https://gitlab.com/ [2], the integration works.

My question:
In what use cases does the issuer URL in [1] apply? If [1] is a valid option, how can I configure the authentication flow to use it?

[1] Google Cloud Workload Identity Federation and IAM policies | GitLab
[2] Configure OpenID Connect with GCP Workload Identity Federation | GitLab

Configuration

# .gitlab-ci.yml
variables:
  GOOGLE_CLOUD_PROJECT: my-project-443418
  GOOGLE_SERVICE_ACCOUNT_EMAIL: test-svc-acct@my-project-443418.iam.gserviceaccount.com
  GOOGLE_WORKLOAD_IDENTITY_PROVIDER: projects/012345678900/locations/global/workloadIdentityPools/test-wip/providers/test-wip-provider
  
stages:
  - auth

auth:
  image: docker.io/google/cloud-sdk:slim
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://iam.googleapis.com/projects/012345678900/locations/global/workloadIdentityPools/test-wip/providers/test-wip-provider
  script:
    - mkdir -p _google_auth
    - echo "${GITLAB_OIDC_TOKEN}" > $CI_PROJECT_DIR/_google_auth/.ci_job_jwt_file
    - gcloud iam workload-identity-pools create-cred-config ${GOOGLE_WORKLOAD_IDENTITY_PROVIDER}
      --service-account="${GOOGLE_SERVICE_ACCOUNT_EMAIL}"
      --service-account-token-lifetime-seconds=600
      --output-file=$CI_PROJECT_DIR/_google_auth/.gcp_temp_cred.json
      --credential-source-file=$CI_PROJECT_DIR/_google_auth/.ci_job_jwt_file
    - gcloud config set project my-project-443418
    - gcloud auth login --cred-file=$CI_PROJECT_DIR/_google_auth/.gcp_temp_cred.json
    - gcloud storage ls gs://my-bucket-2024
  stage: auth
  when: manual

# Google Provider Issuer
gcloud iam workload-identity-pools providers describe test-wip-provider --workload-identity-pool="test-wip" --location="global" --format="get(oidc)"
issuerUri=https://auth.gcp.gitlab.com/oidc/<top-level-group-name>

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Dedicated
  • Self-hosted Runners

Versions

  • GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info):
  • GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version): 17.5.3

Thanks