Unable to sign JWT when using serviceAccountId

Question

We\'ve switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we\'re seeing:

Answer 1

There are two service accounts being used in this case:

1. The service account used to authorize RPC calls (in case of Cloud Functions, this is the App Engine default service account).
2. The service account you have specified as the serviceAccountId.

It seems IAM only works when BOTH service accounts have the signBlob permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:

• Grant the token creator role to the App Engine default service account of your project.
• Once you do that, you don't have to specify a serviceAccountId at all. The SDK will auto-discover that same service account ID when running in Functions.