search

googleapis / nodejs-secret-manager

This repository is deprecated. All of its content and history has been moved to googleapis/google-cloud-node.
https://cloud.google.com/secret-manager
Apache License 2.0
87 stars 31 forks source link

[Creating secret in GCP from AWS environment][Error: Could not load the default credentials.] #196

Closed AkhilA4 closed 2 years ago

AkhilA4 commented 3 years ago

Hi, I've been trying to create a secret in GCP by calling the GCP's APIs from AWS lambda. I'm trying to pass the projectId and path of the service account credentials JSON file as parameters to the SecretManagerServiceClient class constructor to initialize an object. For some reason, using serverless, I'm unable to set the environment variable thing.

Manually I'm creating a secret in the AWS as key value pairs of the Service Account credentials JSON file content like below

  "type": "service_account",
  "project_id": "projectIdName",
  "private_key_id": "1234566",
  "private_key": "773273282",
  "......

But at the time of passing the parameters to the class SecretManagerServiceClient, locally at the run time I'm creating a new JSON file in a local folder by reading the key value pairs from the stored secret .

While doing the above getting the below error 

 Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
    at GoogleAuth.getApplicationDefaultAsync (/home/a/b/c/d/node_modules/google-auth-library/build/src/auth/googleauth.js:157:19)

sample piece of code 

 const projectId = this.gcpProjectId;
 const keyFileName = this.tempPathForCreds;

 const gcpSecretClient = new SecretManagerServiceClient({projectId, keyFileName});

1) From the error it looks like the library is trying to load the credentials from environment variables though I'm passing the absolute path of the JSON file but Is this because something like the SecretManagerServiceClient library will not have accessibility of the local storage from AWS environment 2) Can we pass any other values as parameters to the class SecretManagerServiceClient other than passing the projectId and SA cred JSON file path. If so, can you please point to any of those code samples ? (like projectId, private_key, client_email)

Really appreciate any help. Thanks.

AkhilA4 commented 3 years ago

I just tried below code on the AWS lambda

const auth = new google.auth.GoogleAuth({
                keyFile: './serviceAccountCreds.json',
                scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});

The class google.auth.GoogleAuth is able to pick the keyFile path properly and I'm able to get access token, credentials etc. So, I'm assuming this could not be the case with the GCP APIs not able to access the local path of the JSON file.

AkhilA4 commented 3 years ago

Able to set the environment variable: process.env.GOOGLE_APPLICATION_CREDENTIALS at the run time and able to initialize the class SecretManagerServiceClient constructor. But this still leaves me with a question why is the class SecretManagerServiceClient constructor throwing below error when projectId and absolute path of the SA JSON file are given as parameters.

Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
   at GoogleAuth.getApplicationDefaultAsync (/home/a/b/c/d/node_modules/google-auth-library/build/src/auth/googleauth.js:157:19)
sethvargo commented 2 years ago

The preferred way to authentication from AWS (or other cloud providers) to Google Cloud is via Workload Identity Federation