DefaultCredentialsProvider is broken for java8 app engine

[igorbernstein2]

This was reported by a bigtable customer:

I've traced through where it fails. In DefaultCredentialsProvider.getDefaultCredentialsUnsynchronized() it will only return the AppEngine credentials if the following evaluates to true:

this.isOnGAEStandard7()

I am on GAE Standard but am using Java 8 not 7, so this check is false and it does not return any valid credentials.

[sduskis]

If you look farther down, you'll see this:

    // Then try Compute Engine and GAE 8 standard environment
    if (credentials == null) {
      credentials = tryGetComputeCredentials(transportFactory);
    }

[sduskis]

@neozwu, do you have any thing to add to this issue?

[romulets]

I'm having the same problem. Although it falls in this condition the method tryGetComputeCredentials is also returning null.

I'm using AppEngine with Java 8

[sduskis]

@ajaaym, can you please have someone take a look at this?

[ajaaym]

@romulets can you please check whether you have this env variable set GCE_METADATA_HOST to "http://metadata.google.internal"? If not can you set that? In mean time I will create a PR to update default metadata url.

[romulets]

I didn't work :/

I configured the environment variable through appengine-web.xml using the following tag:

    <env-variables>
        <env-var name ="GCE_METADATA_HOST" value="metadata.google.internal"/>
    </env-variables>

I got the error

com.google.auth.oauth2.ComputeEngineCredentials runningOnComputeEngine: Failed to detect whether we are running on Google Compute Engine. (ComputeEngineCredentials.java:203)
java.net.UnknownHostException: DNS host lookup failed for URL: http://metadata.google.internal

Is this host available? I think it should be internal host of google, so I can't be sure it's up

[ajaaym]

@romulets are you running on GCP?

[romulets]

Yes, AppEngine GCP

[ajaaym]

@romulets are you using flexible env?

[romulets]

@ajaaym No, I'm using standard environment, java8 runtime.

[ajaaym]

@romulets Thanks, I tried with standard java8 runtime and its working fine with me. Is it possible to provide the sample that you are using?

[romulets]

I'm retrieving a PubSub Publisher through this code:

        Credentials credentials = GoogleCredentials.getApplicationDefault();
        CredentialsProvider credentialsProvider = FixedCredentialsProvider.create(credentials);

        return Publisher.newBuilder(topic)
                .setCredentialsProvider(credentialsProvider)
                .build();

[ajaaym]

@romulets I also used pubsub publisher to test, below is my code. You dont need to provide default credential, client discovers that automatically.

ProjectTopicName topicName = ProjectTopicName.newBuilder()
        .setProject(ServiceOptions.getDefaultProjectId())
        .setTopic("topic-name")
        .build();
    Publisher publisher = Publisher.newBuilder(topicName).build();
    PubsubMessage pubsubMessage =
        PubsubMessage.newBuilder().setData(ByteString.copyFromUtf8("test message")).build();

[romulets]

@ajaaym I wasn't providing credentials and had the same error. I don't know if it is relevant, but my project runtime was java7 and then we migrated it to java8.

Anyway, I solved my problem by providing a hard-coded service account.

[ajaaym]

@romulets which version of pubsub are you using?

[romulets]

@ajaaym 0.33.0-beta

[ajaaym]

@romulets I tried with 0.33.0-beta and it worked fine. Below is my code:

Code:

    TopicName topicName = TopicName.newBuilder()
        .setProject(ServiceOptions.getDefaultProjectId())
        .setTopic("topic-name")
        .build();
    Publisher publisher = Publisher.newBuilder(topicName).build();
    PubsubMessage pubsubMessage =
        PubsubMessage.newBuilder().setData(ByteString.copyFromUtf8("test message")).build();

<sduskis: removed sensitve data>

[hugo-ayala]

I ended up using a hard coded service account as well. I don't have problems with other services like Cloud Storage or KMS, but PubSub was a nogo