-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ComputeCredential.IsRunningOnComputeEngine doesn't work #1409
Comments
This means that one cannot use the default compute service account or Workload Identity |
I'm very surprised it's not working - it certainly has in the past. I do wonder whether this is a GKE-specific problem. Note that in your example, you're showing a curl command that tries to fetch a token - whereas the code in IsRunningOnComputeEngine just fetches http://169.254.169.254. I've just tried running Could you try your test in GKE but just fetching http://169.254.169.254 ? I have no issue with adding the header in the test, but I'd like to know more about what's going on. |
The
I get the feeling it might be a Workload Identity specific issue. I'm just guessing but maybe a normal GCE instance has an access token in the well-known location, whereas a k8s pod with Workflow Identity doesn't have one (at least not a in the JSON format). Or |
I tried the same request from a normal GCE instance and it returns 200. From k8s the metadata server behaves differently it seems. From GCE:
|
The method
IsRunningOnComputeEngineNoCache
checks that the metadata server returns the headerMetadata-Flavor: Google
. However, that endpoint will return an error if that same header is not also supplied in the request.Notice in the following, curl-ing the endpoint does not return the header it's checking for:
Elsewhere in
ComputeCredential
it does add the header, but not forIsRunningOnComputeEngine
.I'll create a PR in a few moments
The text was updated successfully, but these errors were encountered: