Environment details
- OS: GKE, container based OS
- Java version: 11
- google-auth-library-java version(s): We are using 0.12.0 but the issue is in the latest (0.16.1) as well
Steps to reproduce
To reproduce using curl:
# Start by running a cloud-sdk pod in the GKE cluster that has workload identity enabled
kubectl run -it --generator=run-pod/v1 --image google/cloud-sdk --namespace default workload-identity-test
# When inside the pod, try to verify without header
curl -H 'Accept: application/json' -H "Metadata-Flavor: Not Google" http://169.254.169.254
# Verify that it does work with the header
curl -H 'Accept: application/json' -H "Metadata-Flavor: Google" http://169.254.169.254
In other places in the ComputeEngineCredentials.java the header is added.
When running the sample in java-docs-samples using
mvn exec:java -Dexec.mainClass=com.google.cloud.auth.samples.AuthExample
-Dexec.args="compute"
it works great as it bypasses the check as we are telling it to explicitly use the compute engine credentials. However when running it with:
mvn exec:java -Dexec.mainClass=com.google.cloud.auth.samples.AuthExample
using the default credentials it does not work. Even though it should resolve that it is running on compute.
Stacktrace
Caused by: java.io.IOException: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentials(DefaultCredentialsProvider.java:132) ~[google-auth-library-oauth2-http-0.16.1.jar:na]
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:115) ~[google-auth-library-oauth2-http-0.16.1.jar:na]
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:88) ~[google-auth-library-oauth2-http-0.16.1.jar:na]
at com.google.api.gax.core.GoogleCredentialsProvider.getCredentials(GoogleCredentialsProvider.java:67) ~[gax-1.45.0.jar:1.45.0]
at org.springframework.cloud.gcp.core.DefaultCredentialsProvider.getCredentials(DefaultCredentialsProvider.java:67) ~[spring-cloud-gcp-core-1.2.0.BUILD-SNAPSHOT.jar:1.2.0.BUILD-SNAPSHOT]
at com.google.api.gax.rpc.ClientContext.create(ClientContext.java:140) ~[gax-1.45.0.jar:1.45.0]
at com.google.cloud.pubsub.v1.stub.GrpcSubscriberStub.create(GrpcSubscriberStub.java:263) ~[google-cloud-pubsub-1.78.0.jar:1.78.0]
at org.springframework.cloud.gcp.pubsub.support.DefaultSubscriberFactory.createSubscriberStub(DefaultSubscriberFactory.java:275) ~[spring-cloud-gcp-pubsub-1.2.0.BUILD-SNAPSHOT.jar:1.2.0.BUILD-SNAPSHOT]
... 60 common frames omitted
Code snippet
See Steps to reproduce
External references such as API reference guides used
Any additional information below
Following these steps will guarantee the quickest resolution possible.
Workload identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Note that this works fine in GCE but when using the GKE metadata server it fails. See googleapis/google-api-dotnet-client#1409 (comment). We have also verified that it works using gcloud inside of the pod with gcloud pubsub topics list and gcloud auth list.
I verified the fix by just building and replacing version of the lib in the java-docs-samples in the pod with the snapshot version containing the fix and both using compute directly and using default credentials works.
I will submit a PR with a fix shortly.
Thanks!
Environment details
Steps to reproduce
To reproduce using curl:
In other places in the ComputeEngineCredentials.java the header is added.
When running the sample in java-docs-samples using
it works great as it bypasses the check as we are telling it to explicitly use the compute engine credentials. However when running it with:
using the default credentials it does not work. Even though it should resolve that it is running on compute.
Stacktrace
Code snippet
See
Steps to reproduceExternal references such as API reference guides used
Any additional information below
Following these steps will guarantee the quickest resolution possible.
Workload identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Note that this works fine in GCE but when using the GKE metadata server it fails. See googleapis/google-api-dotnet-client#1409 (comment). We have also verified that it works using
gcloudinside of the pod withgcloud pubsub topics listandgcloud auth list.I verified the fix by just building and replacing version of the lib in the
java-docs-samplesin the pod with the snapshot version containing the fix and both using compute directly and using default credentials works.I will submit a PR with a fix shortly.
Thanks!