search

googleapis / nodejs-storage

Node.js client for Google Cloud Storage: unified object storage for developers and enterprises, from live data serving to data analytics/ML to data archiving.
https://cloud.google.com/storage/
Apache License 2.0
900 stars 369 forks source link

"Could not load the default credentials" when using custom apiEndpoint with `getSignedUrl.` #2197

Open psigen opened 1 year ago

psigen commented 1 year ago

Environment details

Steps to reproduce

Run the following code when using a storage emulator such as fake-gcs-server or firebase storage emulator:

import { Storage } from "@google-cloud/storage";

const storage = new Storage({
  apiEndpoint: 'http://localhost:9199',
  projectId: 'random-fake-proj-id',
  useAuthWithCustomEndpoint: false,
});

const expiration = new Date();
const expirationSecs = 60 * 10; // 10 minutes
expiration.setSeconds(expirationSecs);

const options = {
  version: "v4" as const,
  action: "read" as const,
  expires: expiration,
};

const [url] = await storage.bucket(BUCKET_NAME)
  .file(path)
  .getSignedUrl(options);

This will return the following error about credentials, even though the emulator doesn't use credentials, so they aren't needed to sign the URL:

Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
    at GoogleAuth.getApplicationDefaultAsync (/app/api/index.js:65733:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async GoogleAuth.getClient (/app/api/index.js:66050:20)
    at async GoogleAuth.getCredentialsAsync (/app/api/index.js:66009:24)
    at async sign (/app/api/index.js:93784:33)

This was previously mentioned in a comment on this previous ticket: https://github.com/googleapis/nodejs-storage/issues/1373#issuecomment-1140351554

ddelgrosso1 commented 1 year ago

@danielbankhead I poked into this a bit and it appears that the problem comes in that there doesn't appear to be a way to tell the auth library to "faux" sign a request. Is there a clean way we can bypass this in storage when the user does not want to use authentication?

danielbankhead commented 1 year ago

[discussed offline, sharing here] We may need to take a similar approach as https://github.com/googleapis/gcs-resumable-upload/pull/416 for this issue.

BrennaEpp commented 1 year ago

Hijacking this issue to track the implementation of this feature:

When a custom endpoint is set on the client, Sign URLs and Post Policies should automatically use that domain.

Optional: allow users to set a custom hostname for Sign URL and Post policy methods

See: go/signurl-custom-endpoint-gcs

danielbankhead commented 11 months ago

Related: