How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ?

[Ruthwik]

We are using Nodejs MetricServiceClient/KeyManagementServiceClient client in our product. How do we enable server certificate verification in the MetricServiceClient/KeyManagementServiceClient client? We want to enable client-side verification of server certificates with our CA bundle. We've explored the options of MetricServiceClient/KeyManagementServiceClient but couldn't find any.

In the case of other cloud providers we have found a way to pass the CA bundle in the options where the client verifies.

Example for AWS

const nodeOptions = {
    httpsAgent: new https.Agent({
        rejectUnauthorized: true,
        ca: caBundle,
        maxVersion
    }),
};

const requestHandler =  new NodeHttpHandler(nodeOptions);
const athena = new AthenaClient({ credentials, region : 'us-east-1', requestHandler });

In the above example, If rejectUnauthorized is true the server will reject any connection which is not authorized with the list of supplied CAs. I also found the it is different for services and client in google nodejs SDK.

@beccasaurus @blowmage

[guru1306]

I am also facing the similar issue. Did you find any solution?

[sofisl]

I don't think this can be done through grpc, see. However, I do think this could be done using our REST transport. You should be able to configure a client to use mTLS or use the agent parameter like bigquery. In order to do this you'll need to instantiate using the googleapis library, like so:

const {google} = require('googleapis/cloudkms');
const cloudkms = google.cloudkms('v1');

and in the request, you can send a second parameter (options) that extends GaxiosOptions

[sofisl]

@Ruthwik did this work for you?

[Ruthwik]

@sofisl I will post here once I try these changes. It requires a change of our current libraries.

'@google-cloud/kms'

Is it also the same for monitoring client? '@google-cloud/monitoring'