Unable to load `application_default_credentials.json` on Windows

[andreban]

On 0.12.1, my application started failing to get the credentials. Upon investigation, I noticed that 0.11.1 wasn't using the application_default_credentials.json file, as I expected but using the gcloud command to get the authorized user (via GCloudAuthorizedUser).

The reason for failing to load application_default_credentials.json is that, according to the Google Cloud documentation, on Windows the application_default_credentials.json file is located at %APPDATA%\gcloud\application_default_credentials.json , but the the application tries to load it from %HOMEPATH%/.config/gcloud/application_default_credentials.json (looking at this line and this line.

[djc]

Sorry for the regression!

Huh, that is surprising. While I made a lot of changes, I don't recall any changes that I'd consider relevant for this path. Would you mind bisecting between the last working release and the newer release to see where I broke it?

[andreban]

Hey @djc, thanks for getting back.

FWIW, I don't think ConfigDefaultCredentials has ever worked for me. I thought that's how it was authenticating but found 0.11.1 is using GCloudAuthorizedUser instead (see log below).

What seems to have regressed between 0.11.1 and 0.12.1 is the GCloudAuthorizedUser flow. I'm investigating what's going on there and if there's some misconfiguration causing 0.12.1 to fail to find the gcloud command and will file a bug once I have clarity the issue is not on my side.

I was looking into the directories crate as a possible solution to the application_default_credentials.json that abstracts platform-specific code, but it seems it would fix for Windows but break things on MacOS, given GCP doesn't use the standard directory for the file, but the .config directory just like Linux.

Here's the log from 0.11.1 showing it was actually using `GCloudAuthorizedUser.

2024-05-28T19:58:57.622868Z DEBUG new: gcp_auth::authentication_manager: Initializing gcp_auth
2024-05-28T19:58:57.627715Z DEBUG new: gcp_auth::default_authorized_user: Loading user credentials file
2024-05-28T19:58:57.628029Z DEBUG new:get_token{client=Client}: gcp_auth::default_service_account: Getting token from GCP instance metadata server
2024-05-28T19:58:57.628913Z DEBUG hyper::client::connect::dns: resolving host="metadata.google.internal"
2024-05-28T19:58:57.645776Z  WARN new:get_token{client=Client}: gcp_auth::default_service_account: Failed to get token from GCP instance metadata server: error trying to connect: dns error: No such host is known. (os error 11001), trying again...
2024-05-28T19:58:57.646494Z DEBUG hyper::client::connect::dns: resolving host="metadata.google.internal"
2024-05-28T19:58:57.646779Z  WARN new:get_token{client=Client}: gcp_auth::default_service_account: Failed to get token from GCP instance metadata server: error trying to connect: dns error: No such host is known. (os error 11001), trying again...
2024-05-28T19:58:57.646919Z DEBUG hyper::client::connect::dns: resolving host="metadata.google.internal"
2024-05-28T19:58:57.647205Z  WARN new:get_token{client=Client}: gcp_auth::default_service_account: Failed to get token from GCP instance metadata server: error trying to connect: dns error: No such host is known. (os error 11001), trying again...
2024-05-28T19:58:57.647400Z DEBUG hyper::client::connect::dns: resolving host="metadata.google.internal"
2024-05-28T19:58:57.647647Z  WARN new:get_token{client=Client}: gcp_auth::default_service_account: Failed to get token from GCP instance metadata server: error trying to connect: dns error: No such host is known. (os error 11001), trying again...
2024-05-28T19:58:57.647834Z DEBUG hyper::client::connect::dns: resolving host="metadata.google.internal"
2024-05-28T19:58:57.648058Z  WARN new:get_token{client=Client}: gcp_auth::default_service_account: Failed to get token from GCP instance metadata server: error trying to connect: dns error: No such host is known. (os error 11001), trying again...
2024-05-28T19:58:59.817829Z DEBUG new: gcp_auth::authentication_manager: Using GCloudAuthorizedUser
2024-05-28T19:58:59.819169Z DEBUG reqwest::connect: starting new connection: https://us-central1-aiplatform.googleapis.com/
2024-05-28T19:58:59.819376Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="us-central1-aiplatform.googleapis.com"
2024-05-28T19:58:59.820883Z DEBUG hyper_util::client::legacy::connect::http: connecting to 142.250.179.234:443
2024-05-28T19:58:59.829227Z DEBUG hyper_util::client::legacy::connect::http: connected to 142.250.179.234:443
2024-05-28T19:59:00.487182Z DEBUG hyper_util::client::legacy::pool: pooling idle connection for ("https", us-central1-aiplatform.googleapis.com)

[djc]

Thanks for investigating!

I was looking into the directories crate as a possible solution to the application_default_credentials.json that abstracts platform-specific code, but it seems it would fix for Windows but break things on MacOS, given GCP doesn't use the standard directory for the file, but the .config directory just like Linux.

Maybe we should just fix this with a little custom handling in ConfigDefaultCredentials?

(I don't have easy access to Windows but am happy to test on macOS/Linux.)

[andreban]

If you are ok with this, I can put together a PR introducing a method to get the path and using conditional compilation (target_os) to have platform-specific implementations. How does that sound?

Btw, I filed https://github.com/djc/gcp_auth/issues/111 for the gcloud command.

[djc]

If you are ok with this, I can put together a PR introducing a method to get the path and using conditional compilation (target_os) to have platform-specific implementations. How does that sound?

Not sure it should be a separate method, but using conditional compilation to refine which path we search application_default_credentials.json sounds good to me, happy to review a PR!

[andreban]

Created https://github.com/djc/gcp_auth/pull/112. Works on Windows and on MacOS. Let me know if you'd like any changes to the PR.

[andreban]

Closed via #112