Issue with auth and Docker GCE VM instance

[ryanseys]

From an internal bug report:

--- SNIP ---

I tried to use gcloud-node from a Node application running inside of a docker container on a GCE container-optimized VM instance. I expected authentication to work automatically given the README (https://github.com/GoogleCloudPlatform/gcloud-node#on-google-compute-engine) but it didn't work.

What did you expect to happen?
gcloud-node should work inside docker containers on GCE container-optimized VM instances (or the README should be updated to specify cases in which authentication doesn't work automatically on GCE)

--- SNIP ---

[stephenplusplus]

Thanks for sharing! Is there a time stamp when that was filed? Also would be great to get the reporter here for further questions.

All that should be required in GCE is a project ID. If this is managed VMs, authentication is manual. It's been a while since I've dug into this though, perhaps things have changed. I'll try to look into this soon.

[ryanseys]

Oh you're right, time of file was Dec 1, 2014 :( This might be obsolete.

[stephenplusplus]

I've learned a few things while digging into this. I used a new GCE vm with all scopes enabled.

1. We have a bug with how we instantiate Datastore (PR coming soon) fixed
2. From GCE, getting a bearer token from the google auth library is successful
3. Making requests to the Storage API works
4. Making requests to the Datastore API does not work

Here's my app: http://130.211.180.58:8080/

Here's a detailed view of the failed Datastore API request.

var query = dataset.createQuery(["Users"])
dataset.runQuery(query, function() {...});

Which makes the request:

{ method: 'POST',
  uri: 'https://www.googleapis.com/datastore/v1beta2/datasets/nth-circlet-705/runQuery',
  headers:
   { 'Content-Type': 'application/x-protobuf',
     Authorization: 'Bearer ya29....', // same token that works with Storage calls
     'User-Agent': 'gcloud-node/0.20.0',
     'Content-Length': 13 } }

And responds with:

{ statusCode: 401,
  body: undefined,
  headers:
   { vary: 'X-Origin, Origin,Accept-Encoding',
     'www-authenticate': 'Bearer realm="https://accounts.google.com/", error=invalid_token',
     'content-type': 'text/html; charset=UTF-8',
     date: 'Wed, 02 Sep 2015 17:50:38 GMT',
     expires: 'Wed, 02 Sep 2015 17:50:38 GMT',
     'cache-control': 'private, max-age=0',
     'x-content-type-options': 'nosniff',
     'x-frame-options': 'SAMEORIGIN',
     'x-xss-protection': '1; mode=block',
     server: 'GSE',
     'alternate-protocol': '443:quic,p=1',
     'alt-svc': 'quic=":443"; p="1"; ma=604800',
     'accept-ranges': 'none',
     connection: 'close' }

// @jgeewax not sure where to go from here.

[stephenplusplus]

From @jonparrott (thanks!):

cloud-platform doesn't include userinfo.email. userinfo.email was just recently added to the default scopes for [managed VMs] but it will be a few weeks before it hits prod. In the meantime, add the scopes to your app.yaml like this: https://github.com/GoogleCloudPlatform/nodejs-getting-started/blob/2-structured-data/app.yaml

[theacodes]

Should be in production now, verified last week. :)

[theacodes]

Actually, this only applies for MVMs. GCE instances will still need to explicitly request userinfo.email until datastore v1beta3. example

[stephenplusplus]

Sweet, thanks for the info!