search

pulumi / pulumi-gcp

A Google Cloud Platform (GCP) Pulumi resource package, providing multi-language access to GCP
Apache License 2.0
178 stars 52 forks source link

Warning getting regions list when using OIDC #2121

Open stooj opened 2 months ago

stooj commented 2 months ago

Describe what happened

When running with GCP and OIDC configured in an environment, the provider is unable to retrieve a regions list. Fortunately it's just a warning rather than an error, so it's not blocking anything.

  pulumi:pulumi:Stack (region-failure-dev):
    warning: failed to get regions list: failed to create compute service: google: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information

The warning goes away if I set PULUMI_GCP_SKIP_REGION_VALIDATION=true.

This is not quite the same as #1641, which has been fixed. This only happens when the OIDC credentials are loaded via a pulumi environment.

EDIT: this happens without ESC too, as long as a region is configured for the provider.

Sample program

mkdir region-failure && cd region-failure
pulumi new gcp-python -y
pulumi config set gcp:project pulumi-ce-team

Running pulumi preview with "local" OIDC ~works fine~ (this only works fine if no region is configured as the region check will be skipped):

GOOGLE_OAUTH_ACCESS_TOKEN=any-dummy-value pulumi preview
Previewing update (dev)
View in Browser (Ctrl+O): https://app.pulumi.com/stooj/region-failure/dev/previews/d8ac6bef-7e23-4e5b-8a43-c0ed3a093dc5
      Type                   Name                Plan
 +   pulumi:pulumi:Stack    region-failure-dev  create
 +   └─ gcp:storage:Bucket  my-bucket           create
Outputs:
    bucket_name: output<string>
Resources:
    + 2 to create

Running pulumi preview with esc-loaded env throws the warning:

pulumi config env add pulumi-support
KEY               VALUE
gcp:project       pulumi-my-team
pulumi:tags       {"pulumi:template":"gcp-python"}  

ENVIRONMENT VARIABLE        VALUE
CLOUDSDK_AUTH_ACCESS_TOKEN  [unknown]
GOOGLE_OAUTH_ACCESS_TOKEN   [unknown]
GOOGLE_PROJECT              [unknown]
GOOGLE_REGION               europe-central2

Save? Yes
pulumi preview
Previewing update (dev)
View in Browser (Ctrl+O): https://app.pulumi.com/stooj/region-failure/dev/previews/aaa
2215e-6e42-487d-8aaf-d2ac9047fe32
     Type                   Name                Plan       Info
 +   pulumi:pulumi:Stack    region-failure-dev  create     1 warning
 +   └─ gcp:storage:Bucket  my-bucket           create
Diagnostics:
  pulumi:pulumi:Stack (region-failure-dev):
    warning: failed to get regions list: failed to create compute service: google: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information
Outputs:
    bucket_name: output<string>
Resources:
    + 2 to create

Output of pulumi about

CLI
Version      3.120.0
Go Version   go1.22.4
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  gcp     7.29.0
language  python  unknown

Host
OS       nixos
Version  24.05 (Uakari)
Arch     x86_64

This project is written in python: executable='/home/stooj/code/pulumi/stooj/pulumi-home/onboarding/region-failure/venv/bin/python' version='3.11.9'

Current Stack: stooj/region-failure/dev

Found no resources associated with dev

Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/stooj
User           stooj
Organizations  stooj, team-ce, higara, demo
Token type     personal

Dependencies:
NAME                    VERSION
aiodns                  3.2.0
aiohttp                 3.9.5
asn1crypto              1.5.1
async-timeout           4.0.3
awscli                  2.15.43
azure-cli               2.60.0
azure-loganalytics      0.1.1
azure-mgmt-common       0.20.0
azure-mgmt-consumption  10.0.0
azure-mgmt-relay        1.1.0
azure-storage-blob      12.19.1
bcdoc                   0.16.0
black                   24.4.0
botocore                1.34.87
Brotli                  1.1.0
brotlicffi              1.1.0.0
curio                   1.6
Jinja2                  3.1.4
pbr                     6.0.0
pip                     24.1.1
pulumi_gcp              7.29.0
pyasn1                  0.6.0
python-socks            2.4.4
redis                   5.0.3
ruamel.base             1.0.0
setuptools              69.5.1.post0
trio                    0.25.0
wheel                   0.43.0

Pulumi locates its logs in /tmp by default

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

VenelinMartinov commented 2 months ago

Thanks for the report! This is a bit unexpected, could you please add your ESC environment here? (deleting any secrets there)

stooj commented 2 months ago

Sure. It's actually two environments:

pulumi-support:

imports:
  - pulumi-support-oidc-gcp
values:
  pulumiConfig:
    gcp:project: pulumi-ce-team

pulumi-support-oidc-gcp:

values:
  gcp:
    login:
      fn::open::gcp-login:
        project: 438338752289
        oidc:
          workloadPoolId: pulumi-oidc-identity-pool-stooj
          providerId: pulumi-oidc-provider-stooj
          serviceAccount: pulumi-oidc-service-acct-stooj@pulumi-ce-team.iam.gserviceaccount.com
  environmentVariables:
    GOOGLE_PROJECT: ${gcp.login.project}
    CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
    GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
    GOOGLE_REGION: europe-central2

Don't think there are any visible secrets in there to remove, so that's the whole env.

VenelinMartinov commented 2 months ago

Thanks for the info, we'll take a look - it's quite unexpected that ESC vs manually specified env vars make a difference.

Are you sure there isn't some ambient login taking effect when you don't use ESC? Perhaps your gcloud CLI login? You can log that out with gcloud auth logout and gcloud auth application-default logout

Or are there maybe other env vars?

Could you check that the program fails in the manual case if you don't specify the token as an env var? Trying to make sure the issue is indeed specific to ESC or maybe it is a general issue with the GCP provider.

stooj commented 2 months ago

Running the repo again to make sure there are no local logins:

mkdir region-failure && cd region-failure
pulumi new gcp-python -y
pulumi config set gcp:project pulumi-ce-team
gcloud auth revoke  # Returns "ERROR: (gcloud.auth.revoke) Invalid value for [accounts]: No credentials available to revoke."
gcloud auth application-default revoke  # Returns "Application Default Credentials have not been set up, nothing to revoke."
pulumi config env add pulumi-support
pulumi preview

I can confirm that I'm definitely not logged in locally, and the issue is still there.

Other env vars - I had a look through env and didn't see anything likely. I am setting PULUMI_HOME to something other than the default so I don't clutter my main pulumi workspace.

Did you have any other env vars in mind? The env vars declared in the esc are not available to my shell, only inside pulumi when it's running, and I've checked that none of them are set externally (env | grep GOOGLE_OAUTH_ACCESS_TOKEN etc).

Could you check that the program fails in the manual case if you don't specify the token as an env var? Trying to make sure the issue is indeed specific to ESC or maybe it is a general issue with the GCP provider.

Is there a way to use OIDC in an ESC env without exposing them as env vars? Sorry, don't know how to do this :disappointed:

If it helps with the reproduction, I used this code to generate the OIDC credentials and create the ESC env.

VenelinMartinov commented 2 months ago

Very much appreciated! Thanks for taking the time to look into this.

Is there a way to use OIDC in an ESC env without exposing them as env vars?

No, this is certainly what happens and is correct. I was mostly trying to understand how could the behaviour under ESC be different given that the only thing ESC does is change the environment.

I think what's happening is that when you run with ESC the provider gets the GOOGLE_REGION environment variable - this is actually what determines if the region check should happen.

When running manually, because the provider doesn't have a region configured it never does the region check, so never prints the warning.

Given this I am fairly sure the issue is NOT specific to ESC but is a general GCP provider issue when a region is configured and auth is given via GOOGLE_OAUTH_ACCESS_TOKEN.

I hope you don't mind if I edit the issue title to reflect this and add a short note to the description!