Skip to content

Deprioritize GCloudAuthorizedUser #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djc merged 4 commits into from
Jun 30, 2023
Merged

Deprioritize GCloudAuthorizedUser #74

djc merged 4 commits into from
Jun 30, 2023

Conversation

@djc
Copy link
Owner

@djc djc commented Jun 28, 2023

While we're not sure this is a regression since #67 we've recently been seeing elevated error rates in production for some of our code running gcp_auth in a Docker container that has the gcloud CLI installed. The error looks like this (this is from a gRPC client call):

Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

Code that doesn't have gcloud installed in the container seems to be running without errors.

The documentation for the print-access-token command also lists some limitations:

Note that token itself may not be enough to access some services. If you use the token with curl or similar tools, you may see permission errors similar to "API has not been used in project 32555940559 before or it is disabled.". If it happens, you may need to provide a quota project in the "X-Goog-User-Project" header.

The identity that granted the token must have the serviceusage.services.use permission on the provided project.

We also noted that the order of token acquisition methods tried by the gcp_auth::AuthenticationManager doesn't match what official Google SDKs do -- this PR would bring gcp_auth closer in line with official SDKs.

Because this seems like a substantial change to the documented mechanics, I've included a commit that bumps the version number to the next semver-incompatible release (despite there being no actual changes to the public API). When releasing this change we should publish release notes that clearly point out the change.

(I worked with @valkum on this, hope I'm correctly representing his research.)

@djc djc requested a review from hrvolapeter June 28, 2023 15:01
valkum
valkum reviewed Jun 28, 2023
View reviewed changes
hrvolapeter
hrvolapeter approved these changes Jun 29, 2023
View reviewed changes
Copy link
Collaborator

@hrvolapeter hrvolapeter left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I'm just thinking since the order is already being changed if it doesn't make sense to bring the ADC as last step to have the same order as other SDKs

@djc djc force-pushed the deprioritize-gcloud branch from 144065c to 8876527 Compare June 30, 2023 10:01
@djc
Copy link
Owner Author

djc commented Jun 30, 2023

Okay, I've aligned the order with the upstream SDKs. Also renamed the ServiceAccount impls a bit to try make the names more descriptive.

valkum
valkum approved these changes Jun 30, 2023
View reviewed changes
Copy link
Contributor

@valkum valkum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now. Just a single thought. But feel free to merge without following my remarks.

@djc djc force-pushed the deprioritize-gcloud branch from 8876527 to f0f7ef7 Compare June 30, 2023 10:46
@djc
Copy link
Owner Author

djc commented Jun 30, 2023

@hrvolapeter thanks for the feedback, please have a look to see if you agree with the renaming!

hrvolapeter
hrvolapeter approved these changes Jun 30, 2023
View reviewed changes
Copy link
Collaborator

@hrvolapeter hrvolapeter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and thanks for the changes! 👍

@djc djc merged commit 6e6a440 into master Jun 30, 2023
@djc
Copy link
Owner Author

djc commented Jun 30, 2023

Published 0.9.0 on crates.io. I was going to add a GitHub release to write some release notes but I don't think I have permissions to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hrvolapeter hrvolapeter hrvolapeter approved these changes

+1 more reviewer

@valkum valkum valkum approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@djc @valkum @hrvolapeter