fix: S2A gRPC flow creates ComputeEngineCredentials via newBuilder. #3651
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rmehta19
changed the title
rockspore
reviewed
Feb 22, 2025
| @@ -1199,14 +1199,18 @@ boolean isDirectPathBoundTokenEnabled() { | |||
| CallCredentials createHardBoundTokensCallCredentials( | |||
| ComputeEngineCredentials.GoogleAuthTransport googleAuthTransport, | |||
| ComputeEngineCredentials.BindingEnforcement bindingEnforcement) { | |||
| ComputeEngineCredentials.Builder credsBuilder = | |||
| ((ComputeEngineCredentials) credentials).toBuilder(); | |||
| // We only set scopes and HTTP transport factory from the original credentials because | |||
There was a problem hiding this comment.
For future readers, could you explain briefly in the comment why we create it from a newBuilder()?
There was a problem hiding this comment.
Ah, yes thanks! This is an known issue in the Auth Library that we're slowly trying to fix as well and sorry to see that this also bit you all.
The existing access token will be invalidated (not copied) in the future from the builder.
product-auto-label
bot
added
size: xs
product-auto-label
bot
added
size: s
rmehta19
changed the title
|
@lqiu96 , please review, thanks! |
lqiu96
approved these changes
Feb 24, 2025
|
/gcbrun |
|
Oh, can you also rename the title to follow conventional commits?
or some similar |
rmehta19
changed the title
|
Thanks @lqiu96 . I also updated the branch with upstream main, I think you will have to rerun gcbrun? |
|
/gcbrun |
JoeWang1127
added a commit
that referenced
this pull request
Feb 25, 2025
🤖 I have created a release *beep* *boop* --- <details><summary>2.54.0</summary> ## [2.54.0](v2.53.0...v2.54.0) (2025-02-25) ### Features * add client side logging with slf4j ([#3403](#3403)) ([fe002fa](fe002fa)) ### Bug Fixes * S2A gRPC flow creates ComputeEngineCredentials via newBuilder. ([#3651](#3651)) ([29c061e](29c061e)) ### Dependencies * update dependency ch.qos.logback:logback-core to v1.3.15 [security] ([#3654](#3654)) ([093d867](093d867)) * update google api dependencies ([#3631](#3631)) ([48db2a1](48db2a1)) * update google auth library dependencies to v1.33.1 ([#3656](#3656)) ([f7877a5](f7877a5)) * update google http client dependencies to v1.46.3 ([#3657](#3657)) ([9d5b3b5](9d5b3b5)) * update grpc to 1.70.0 ([#3641](#3641)) ([ad26cf9](ad26cf9)) * update grpc to 1.70.0 (missed update) ([#3658](#3658)) ([6ca0599](6ca0599)) * Update opentelemetry-semconv to v1.29.0-alpha ([#3635](#3635)) ([49ac09d](49ac09d)) ### Documentation * update showcase readme ([#3659](#3659)) ([0ddf073](0ddf073)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Joe Wang <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@rockspore pointed out that the credential should be created from scratch because when using toBuilder the underlying access token is copied.
This was confirmed to be a bug with local testing which:
allowedHardBoundAccessTokensempty in GrpcProvider) and then ping the API, logs show the bearer token is used, obtained from making call to MDSallowedHardBoundAccessTokenscontainsMTLS_S2Ain GrpcProvider) and then ping the API, logs show the bearer token is used. A call to MDS is not made.This is likely because the credential and channel have different lifetimes.