Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App default credentials do not work on App Engine Managed VMs. #513

Closed
theacodes opened this issue Apr 28, 2015 · 12 comments
Closed

App default credentials do not work on App Engine Managed VMs. #513

theacodes opened this issue Apr 28, 2015 · 12 comments
Assignees
Labels
status: blocked Resolving the issue is dependent on other work.

Comments

@theacodes
Copy link

When running locally or on Google Compute Engine, app default credentials are used to provide authentication without needed to provide a private key. However, this does not work when deployed to Managed VMs.

@stephenplusplus
Copy link
Contributor

Have you tried against master? We just started using google-auth-library, but haven't made a release yet.

@theacodes
Copy link
Author

Yes, this is against master. It's possible that managed VMs does not expose the service account from the underlying VM.

@ryanseys
Copy link
Contributor

I think it should... I just came across this library which appears to provide that functionality (getting a token) from within Managed VMs.

@theacodes
Copy link
Author

This might be that the service account associated with the managed VM doesn't have the datastore scope. Investigating and will update.

@ryanseys
Copy link
Contributor

Yeah they seem to be hitting the same endpoint as long as it's working as it should.

@theacodes
Copy link
Author

Okay. That is exactly the problem.

  • Managed VMs default service account doesn't include scopes to access datastore, pubsub, etc.
  • The .yaml config to add the scope isn't current documented (it's a beta setting)

Once the settings are documented, we should add some documentation here around adding scopes to MVMs/GCE to allow access.

@ryanseys
Copy link
Contributor

@jonparrott Thanks for investigating! Can you open a new issue and point to the docs that helped you resolve this issue so we know how to document it for our users?

@theacodes
Copy link
Author

It's not currently documented :( I'll create a new issue here once I get the docs published.

@ryanseys
Copy link
Contributor

Okey doke! I'll reopen this to keep tracking the issue.

@ryanseys ryanseys reopened this Apr 29, 2015
@stephenplusplus stephenplusplus added the status: blocked Resolving the issue is dependent on other work. label Jun 30, 2015
@stephenplusplus
Copy link
Contributor

The .yaml config to add the scope isn't current documented (it's a beta setting)

@jonparrott if that's documented now (?), that's probably good enough. Maybe a simple line could be added to https://github.com/GoogleCloudPlatform/gcloud-common/tree/master/authentication with something like "To enable the scopes on a managed VM, see ..."

@theacodes
Copy link
Author

This is a non-issue now, as all the requisite scopes for GCP APIs are now defaulted in MVMs. Users should never have to change the scopes. If they do, I consider that that's a bug on our end.

@stephenplusplus
Copy link
Contributor

Oh, great. Thanks again!

sofisl pushed a commit that referenced this issue Sep 27, 2022
This PR was generated using Autosynth. 🌈

Synth log will be available here:
https://source.cloud.google.com/results/invocations/000b31a7-d841-4bba-9f39-9c136bef31bc/targets

- [ ] To automatically regenerate this PR, check this box.
sofisl pushed a commit that referenced this issue Nov 9, 2022
This PR was generated using Autosynth. 🌈

Synth log will be available here:
https://source.cloud.google.com/results/invocations/000b31a7-d841-4bba-9f39-9c136bef31bc/targets

- [ ] To automatically regenerate this PR, check this box.
sofisl pushed a commit that referenced this issue Nov 10, 2022
Note that this not a breaking change for any other language, and the C# library for this has not been published by Google.

PiperOrigin-RevId: 375638678

Source-Link: googleapis/googleapis@d4d6443

Source-Link: googleapis/googleapis-gen@8fb1ab6
sofisl pushed a commit that referenced this issue Nov 10, 2022
This PR was generated using Autosynth. 🌈

Synth log will be available here:
https://source.cloud.google.com/results/invocations/18b0a4f0-1600-404c-b007-4183fa7fccbb/targets

- [ ] To automatically regenerate this PR, check this box. (May take up to 24 hours.)

Source-Link: googleapis/synthtool@c6706ee
Source-Link: googleapis/synthtool@b33b0e2
Source-Link: googleapis/synthtool@898b38a
sofisl pushed a commit that referenced this issue Nov 11, 2022
- [ ] Regenerate this pull request now.

Committer: @summer-ji-eng
PiperOrigin-RevId: 424244721

Source-Link: googleapis/googleapis@4b6b01f

Source-Link: googleapis/googleapis-gen@8ac83fb
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiOGFjODNmYmE2MDZkMDA4YzdlOGE0MmU3ZDU1YjY1OTZlYzRiZTM1ZiJ9
sofisl pushed a commit that referenced this issue Nov 11, 2022
This PR was generated using Autosynth. 🌈

Synth log will be available here:
https://source.cloud.google.com/results/invocations/8b7e3986-c966-4325-9ced-bdd850176095/targets

- [ ] To automatically regenerate this PR, check this box.
sofisl pushed a commit that referenced this issue Nov 11, 2022
[![WhiteSource Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [sinon](https://sinonjs.org/) ([source](https://togithub.com/sinonjs/sinon)) | [`^11.0.0` -> `^12.0.0`](https://renovatebot.com/diffs/npm/sinon/11.1.2/12.0.1) | [![age](https://badges.renovateapi.com/packages/npm/sinon/12.0.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/sinon/12.0.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/sinon/12.0.1/compatibility-slim/11.1.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/sinon/12.0.1/confidence-slim/11.1.2)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>sinonjs/sinon</summary>

### [`v12.0.1`](https://togithub.com/sinonjs/sinon/blob/master/CHANGES.md#&#8203;1201)

[Compare Source](https://togithub.com/sinonjs/sinon/compare/v12.0.0...v12.0.1)

-   [`3f598221`](https://togithub.com/sinonjs/sinon/commit/3f598221045904681f2b3b3ba1df617ed5e230e3)
    Fix issue with npm unlink for npm version > 6 (Carl-Erik Kopseng)
    > 'npm unlink' would implicitly unlink the current dir
    > until version 7, which requires an argument
-   [`51417a38`](https://togithub.com/sinonjs/sinon/commit/51417a38111eeeb7cd14338bfb762cc2df487e1b)
    Fix bundling of cjs module ([#&#8203;2412](https://togithub.com/sinonjs/sinon/issues/2412)) (Julian Grinblat)
    > -   Fix bundling of cjs module
    >
    > -   Run prettier

*Released by [Carl-Erik Kopseng](https://togithub.com/fatso83) on 2021-11-04.*

#### 12.0.0

### [`v12.0.0`](https://togithub.com/sinonjs/sinon/compare/v11.1.2...v12.0.0)

[Compare Source](https://togithub.com/sinonjs/sinon/compare/v11.1.2...v12.0.0)

</details>

---

### Configuration

📅 **Schedule**: "after 9am and before 3pm" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#github/googleapis/nodejs-kms).
sofisl pushed a commit that referenced this issue Nov 18, 2022
* test: use fully qualified request type name in tests

PiperOrigin-RevId: 475685359

Source-Link: googleapis/googleapis@7a12973

Source-Link: googleapis/googleapis-gen@370c729
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiMzcwYzcyOWUyYmEwNjJhMTY3NDQ5YzI3ODgyYmE1ZjM3OWM1YzM0ZCJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
sofisl pushed a commit that referenced this issue Sep 13, 2023
[PR](googleapis/gapic-generator-typescript#878) within
updated gapic-generator-typescript version 1.4.0

Committer: @summer-ji-eng
PiperOrigin-RevId: 375759421

Source-Link: googleapis/googleapis@95fa72f

Source-Link: googleapis/googleapis-gen@f40a343
sofisl pushed a commit that referenced this issue Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: blocked Resolving the issue is dependent on other work.
Projects
None yet
Development

No branches or pull requests

3 participants