Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

storage: Loading creds during NewClient breaks application without default creds #4980

Closed
Xuanwo opened this issue Oct 13, 2021 · 3 comments · Fixed by #4982
Closed

storage: Loading creds during NewClient breaks application without default creds #4980

Xuanwo opened this issue Oct 13, 2021 · 3 comments · Fixed by #4982
Assignees
@BrennaEpp
Labels
api: storage Issues related to the Cloud Storage API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@Xuanwo
Copy link

Xuanwo commented Oct 13, 2021

Client

storage

Environment

Self-hosted CI (not on GCE)

Go Environment

$ go version
go 1.16

Code

package gcs

import (
	"context"
	"net/http"
	"testing"

	gs "cloud.google.com/go/storage"
	"golang.org/x/oauth2/google"
	"google.golang.org/api/option"
	htransport "google.golang.org/api/transport/http"
)

func TestClient(t *testing.T) {
	ctx := context.Background()

	var err error

	// We will have a costumed http client for timeout control.
	hc := http.DefaultClient
	hc.Transport, err = htransport.NewTransport(ctx, hc.Transport,
		// The cred could be loaded from file or JSON that user input.
		option.WithCredentials(&google.Credentials{}))
	if err != nil {
		t.Errorf("new transport error")
	}

	_, err = gs.NewClient(ctx, option.WithHTTPClient(hc))
	if err != nil {
		t.Errorf("new client failed: %v", err)
	}
}

func TestClientWithDuplicatedCredentials(t *testing.T) {
	ctx := context.Background()

	var err error

	// We will have a costumed http client for timeout control.
	hc := http.DefaultClient
	hc.Transport, err = htransport.NewTransport(ctx, hc.Transport,
		// The cred could be loaded from file or JSON that user input.
		option.WithCredentials(&google.Credentials{}))
	if err != nil {
		t.Errorf("new transport error")
	}

	// The trick way
	_, err = gs.NewClient(ctx, option.WithHTTPClient(hc), option.WithCredentials(&google.Credentials{}))
	if err != nil {
		t.Logf("init via set duplicated credentials could succeed")
	}
}

Expected behavior

Init with success.

Actual behavior

Output error:

    utils_test.go:30: new client failed: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Additional context

We met this error during our depandabot upgrade from 1.17 to 1.18: beyondstorage/go-service-gcs#80

Our failed build log: https://teamcity.beyondstorage.io/buildConfiguration/Services_Gcs_IntegrationTests/934?showLog=934_67_67

image

This problem is introduced by #4604:

google-cloud-go/storage/storage.go

Lines 134 to 140 in 0f7457c

c, err := transport.Creds(ctx, opts...)
if err != nil {
return nil, err
}
creds = c
opts = append(opts, internaloption.WithCredentials(creds))

Do we have a better solution to handle the situation when user doesn't pass credential during storage.NewClient?
@Xuanwo Xuanwo added the triage me I really want to be triaged. label Oct 13, 2021
@product-auto-label product-auto-label bot added the api: storage Issues related to the Cloud Storage API. label Oct 13, 2021
@Xuanwo Xuanwo mentioned this issue Oct 13, 2021
Closed
@BrennaEpp BrennaEpp assigned BrennaEpp and unassigned tritone Oct 13, 2021
@tritone
Copy link
Contributor

tritone commented Oct 13, 2021

Thanks for reporting. @BrennaEpp is investigating this; @codyoss FYI as well.

@tritone tritone added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. and removed triage me I really want to be triaged. labels Oct 13, 2021
@codyoss codyoss mentioned this issue Oct 13, 2021
Merged
tritone pushed a commit that referenced this issue Oct 14, 2021
@codyoss
fix(storage): don't assume auth from a client option (#4982)
e17334d 
* fix(storage): don't assume auth from a client option

There are cases where a user might not auth with ADC or a client
option such as passing in their own client. In these cases we
should not error, but instead just not make use of the internal
cred lookup.

Fixes: #4980

* switch ordering of some lines

* add some docs
@Xuanwo
Copy link
Author

Xuanwo commented Oct 14, 2021

Bravo!

@tritone
Copy link
Contributor

tritone commented Oct 14, 2021

This is released in storage/v1.18.1. Thanks again for your report, we definitely missed this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BrennaEpp BrennaEpp

Labels
api: storage Issues related to the Cloud Storage API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(storage): don't assume auth from a client option
3 participants
@tritone @Xuanwo @BrennaEpp