search

googleapis / google-auth-library-nodejs

🔑 Google Auth Library for Node.js
Apache License 2.0
1.71k stars 374 forks source link

Too many call to the token exchange endpoint when uploading file to GCS #1836

Closed GregoireW closed 2 months ago

GregoireW commented 2 months ago

Hello,

This issue is linked to https://github.com/google-github-actions/upload-cloud-storage/issues/364

The issue is when we use the google-github-actions/upload-cloud-storage action, this authentication library is used and we end up with a huge number of call on the token exchange API.

image

As this is rate limited, we got some spike that made some things worst. I already increase the api quota, but to fix our issue it would need a crazy number. It is better to fix this here.

To repoduce the issue, you can run an action containing:

    - uses: actions/checkout@v4
        id: checkout

      - name: generate
        run: |
          mkdir site
          for i in {1..250} ; do 
            head -c 1M </dev/urandom > site/test-$i.txt ; 
          done;

      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: projects/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          service_account: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

      - name: Publish report
        uses: google-github-actions/upload-cloud-storage@v2
        with:
          path: ./site
          destination: zzzzzzzzzzzzzzzzzzzzz
          parent: false
          process_gcloudignore: false
          gzip: false
danielbankhead commented 2 months ago

The library currently provides caching for this and it looks like its behaving as intended:

https://github.com/googleapis/google-auth-library-nodejs/blob/0b78d91534d97b37859a2303b332f8ccd52dbf69/src/auth/baseexternalclient.ts#L579-L596

Do you know if your configuration is preventing caching? Such as expires_in is not being returned or is 0?

GregoireW commented 2 months ago

The action use the library @google-cloud/storage which in turn use this library.

I currently modified the action to add a lock on the auth call :

https://github.com/GregoireW/upload-cloud-storage/blob/ab0fd3cf9ce46216ecbefeead2072fd4194f271b/src/client.ts#L305-L321

With this lock, the number of call to the token exchange is drastically reduced (2 call for 250 file) so for me the cache is ok, but cache is only done after authentication is done. In the GCS usecase, you have a huge number of request in a short time and for that, you consider there is no cache for many of them.

danielbankhead commented 2 months ago

On second review, I think we can improve this experience. I've created a PR to resolve: