Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I'm getting gcloud/certificate_config.json: permission denied after updating to v0.178.0+, using NewAuthLibrary #2672

Closed
echarrod opened this issue Jul 4, 2024 · 3 comments
Closed

I'm getting gcloud/certificate_config.json: permission denied after updating to v0.178.0+, using NewAuthLibrary #2672

echarrod opened this issue Jul 4, 2024 · 3 comments
Assignees
@codyoss
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. status: investigating The issue is under investigation, which is determined to be non-trivial. type: question Request for information or clarification. Not an issue.

Comments

@echarrod
Copy link

echarrod commented Jul 4, 2024
edited
Loading

Description

google.golang.org/api v0.177.0 seems to work fine, but when I update to v0.178.0 and above, I get the following error:

error creating service: open /root/.config/gcloud/certificate_config.json: permission denied

when initialising an fcm service with:

svc, err := fcm.NewService(context.Background(), option.WithCredentialsFile(credentialsFile))

I'm guessing this is from the change in #2519 to use the new auth library:
image

What I've tried

  1. Adding scopes:
option.WithScopes( 
			"https://www.googleapis.com/auth/devstorage.read_write",
			"https://www.googleapis.com/auth/cloud-identity.groups",
		))
  1. Setting GOOGLE_API_USE_CLIENT_CERTIFICATE: true after reading this help article

Other Info

  • We're running this from Kubernetes in a docker container
  • And we don't have the gcloud cli available currently.

Any pointers would be much appreciated 🙏
@echarrod echarrod added priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue. labels Jul 4, 2024
@codyoss
Copy link
Member

codyoss commented Jul 8, 2024
edited
Loading

Thank you for the report. Just to confirm, did you test this with 0.187.0? I ask because I know that version had a fix in related to this auth flow.

cc @andyrzhao

@codyoss codyoss added the status: investigating The issue is under investigation, which is determined to be non-trivial. label Jul 8, 2024
@echarrod
Copy link
Author

echarrod commented Jul 8, 2024

Thanks for the response @codyoss. Ah I think that wasn't released when I started investigating - we tried a few versions up to and including v0.186.0. We were using a credentials file though rather than an API Key, so not sure if that would have actually helped.

Just now I think we might have solved the issue though - I believe the problem arose with the default value of the certificate config being /root/.config/gcloud/certificate_config.json for our container. Upon investigation - we don't want to use the root user for security reason, and instead we use a different user, and so this is why we were getting permission denied.

I saw on https://github.com/googleapis/enterprise-certificate-proxy?tab=readme-ov-file#manual-certificate-configuration that setting the GOOGLE_API_CERTIFICATE_CONFIG to another value would override this, so I've set it to /home/myUser/.config/gcloud/certificate_config.json, and that seems to have worked.

I believe I can close the issue now, thanks though!

@echarrod echarrod closed this as completed Jul 8, 2024
@codyoss
Copy link
Member

codyoss commented Jul 8, 2024

Awesome glad you were able to figure it out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. status: investigating The issue is under investigation, which is determined to be non-trivial. type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@echarrod @codyoss