TimurSadykov
commented
2 years ago Thanks for reporting! without checking the response status, the code indeed looks incorrect
Open petedmarsh opened 2 years ago
TimurSadykov
commented
2 years ago Thanks for reporting! without checking the response status, the code indeed looks incorrect
kberezin-nshl
commented
1 year ago Just wasted several hours being stuck with the same problem...
The root cause of the issue in my case with ComputeEngineCredentials was that I was actually getting the following response:
404 Not Found
identity token not available for default service account; please provide a user-specified service accountBut this code here doesn't check if response was successful at all. It was just passing "identity token not available for default service account; please provide a user-specified service account" string forward to JsonWebSignature parser and the latter crashed.
This pull request partially addressed the issue but it only covers 503 response code and as you can see in my case it was 404 response code.
In other words, I think the right fix would be to make sure that the response is 2xx before proceeding with token creation and throw an exception otherwise.
cc @TimurSadykov
EDIT: not sure how many various *Credentials classes are affected by the same problem
TimurSadykov
commented
1 year ago @kberezin-nshl Thanks for investigating. The fix that you have mentioned was indeed a short-term fix for the most common case. We will consider a proper fix. It would help if you share any stats/scenario when you get a repro of the error? Thanks!
kberezin-nshl
commented
1 year ago @TimurSadykov sure.
In my case, I tried to follow this guide to get a token in order to access IAP-protected resource from Cloud Build environment.
Here's shortened version (will crash if run in Cloud Build using default service account):
public class BuildIapRequest {
private static final String IAM_SCOPE = "https://www.googleapis.com/auth/iam";
private BuildIapRequest() {}
public static void thisMethodWillCrash() throws IOException {
GoogleCredentials credentials =
GoogleCredentials.getApplicationDefault().createScoped(Collections.singleton(IAM_SCOPE));
// the method bellow will eventually call ComputeEngineCredentials.idTokenWithAudience
// which will get 404 and pass error message to token parser
credential.getRequestMetadata("your_iap_protected_url");
}
}
Martin4R
commented
7 months ago This is the only issue ticket mentioning the error message "please provide a user-specified service account" when trying to get an ID-token via the metadata endpoint within a VM. In my case the issue was, that I tried to use a VM (in VertexAI) with a user-specified service account, but my service account did not have the permission "iam.serviceAccounts.getOpenIdToken" on itself. You need to assign at least the role "Service Account OpenID Connect Identity Token Creator" in the service account permissions to the service account itself, to make it work. The error message is therefore very misleading.
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Please run down the following list and make sure you've tried the usual "quick fixes":
If you are still having issues, please include as much information as possible:
Environment details
Steps to reproduce
Occasionally we see errors refreshing a token, with the actual source of the error being:
https://github.com/googleapis/google-http-java-client/blob/9f389ef89195af77eff8f1e1c1c9ee9bf9c7792c/google-http-client/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java#L544
Following through the code I get back to here https://github.com/googleapis/google-auth-library-java/blob/c813d55a78053ecbec1a9640e6c9814da87319eb/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java#L241:
So - purely speculating - it looks to me that the HTTP request may sometimes not error out but instead return a non-200 response with an error in the body which is then not parsable as a token. I have no proof of this but it seems plausible based on the code.
If this is happening IMO it would be better to have a more specific error, the IllegalArgumentException is very odd and confusing, though of course the end result is the same (i.e. the token is not refreshed).
Code example
Stack trace
External references such as API reference guides
Any additional information below
Following these steps guarantees the quickest resolution possible.
Thanks!