Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: GCECredentials lazily fetches from the metadata server to ensure a universe domain is known #509

Merged
merged 1 commit into from
Dec 19, 2024
Merged

fix: GCECredentials lazily fetches from the metadata server to ensure a universe domain is known #509

merged 1 commit into from
Dec 19, 2024

Conversation

dazuma
Copy link
Member

@dazuma dazuma commented Dec 19, 2024

As part of the logging work, to tamp down on the possible glut of logs on startup in high-traffic environments, we stopped eagerly fetching tokens from the client library credentials object. This was intended not to make any functional difference, because credential objects generally fetch their own tokens just-in-time when requested.

However, #508 revealed one case we missed: GCECredentials do not have a universe_domain set until the token is fetched, since the universe domain comes from the metadata service. Thus, client libraries would fail to initialize with a universe domain mismatch error. This happens only:

  • for GCECredentials, as all other credential types get their universe domain from the input (e.g. json key file), and
  • if the gapic-common gem is older than 0.23.0, because that version temporarily disabled universe domain checking for compute engine for unrelated reasons

Because the intent is for a future version of gapic-common to re-enable universe domain checking, and because some customers have not or cannot update gapic-common, we're going to work around this by causing GCECredentials to fetch its token just-in-time if its universe_domain is queried.

Fixes #508

@dazuma dazuma requested a review from a team as a code owner December 19, 2024 21:50
@dazuma dazuma mentioned this pull request Dec 19, 2024
Closed
viacheslav-rostovtsev
viacheslav-rostovtsev approved these changes Dec 19, 2024
View reviewed changes
Copy link
Member

@viacheslav-rostovtsev viacheslav-rostovtsev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dazuma dazuma merged commit 3678316 into googleapis:main Dec 19, 2024
10 checks passed
@release-please release-please bot mentioned this pull request Dec 19, 2024
Merged
@dazuma dazuma deleted the pr/gce-ud-prefetch branch December 19, 2024 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viacheslav-rostovtsev viacheslav-rostovtsev viacheslav-rostovtsev approved these changes

@aandreassa aandreassa Awaiting requested review from aandreassa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Gapic::UniverseDomainMismatch errors after updating to googleauth 1.12.0
2 participants
@dazuma @viacheslav-rostovtsev