auth: Fail on invalid Google Service Account JSON #10429
Comments
codyoss
added
the
status: investigating
|
@whs In your case, what was the old error message in these cases? Go's default json unmarshalling is very permissive in general. |
|
In my case the old library work just fine. The new library do require the audience field to not be empty: google-cloud-go/auth/credentials/internal/externalaccount/externalaccount.go Lines 154 to 156 in 05816f9 |
|
Looking at the source it seems that the check was added when externalaccount was moved from internal to exported I think the previous application that used our STS service was deployed last year, so it was before this was added. |
|
Should have a patch shortly. Audience should have always been required before I believe looking at the spec: https://google.aip.dev/auth/4117#expected-behavior . This was a bug in the old library I would say. |
|
fixed in #10431. Should be released today yet. |
Is your feature request related to a problem? Please describe.
In the previous oauth2 library, if the Google Service Account JSON is invalid, an error is thrown.
In the new oauth2 library, the error is silently dropped. This make troubleshooting service account JSON near impossible.
We're using external account JSON with emulated Google STS server that calls to HashiCorp Vault, so the JSON is written by hand.
Describe the solution you'd like
If GOOGLE_APPLICATION_CREDENTIALS is present and the JSON is invalid in anyway (unreadable, unparsable, invalid schema, etc.), then it should return an error message
Describe alternatives you've considered
Use a debugger to check the
err, which is not possible in production.Other context
In our case the
audiencefield is handled by Vault, so we leave it empty but the new SDK do not allow that. Perhaps that might not be all of the problems though since there's no concrete error message.The text was updated successfully, but these errors were encountered: