Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Failure from metadata server" when using GKE and Workload Identity #2346

Closed
bradam12 opened this issue Oct 27, 2023 · 5 comments
Closed

"Failure from metadata server" when using GKE and Workload Identity #2346

bradam12 opened this issue Oct 27, 2023 · 5 comments
Assignees
@ddelgrosso1
Labels
api: storage Issues related to the googleapis/nodejs-storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@bradam12
Copy link

bradam12 commented Oct 27, 2023
edited

We were getting the "Failure from metadata server" when trying to create a signed URL in our existing application. This is an app already running in prod. We're adding an additional feature that requires signed URLs.

I created a barebones test.js file and also used the included sample at https://github.com/googleapis/nodejs-storage/blob/main/samples/generateV4ReadSignedUrl.js as reproducible cases. Versions 2.x, 3.x, 4.x all work properly, and 5.0.0 and up exhibit the error.

Environment details

  • OS: buster
  • Node.js version: 16.20.2
  • npm version: 8.19.4
  • @google-cloud/storage version: 5.0.0 and up

Steps to reproduce

  1. Run node:16 pod in GKE (we're currently on v1.24.15-gke.1700), with established workload identity, KSA and GSA linked. GSA has Storage Object Admin and Service Account Token Creator.
  2. Exec into pod
  3. Write the sample file from https://github.com/googleapis/nodejs-storage/blob/main/samples/generateV4ReadSignedUrl.js
  4. Install @google-cloud/storage@5
  5. Run node test.js bucketname filename
  6. Receive error: Failure from metadata server.
  7. Repeat for @google-cloud/storage@6 and @google-cloud/storage@7, receive same error
@bradam12 bradam12 added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Oct 27, 2023
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/nodejs-storage API. label Oct 27, 2023
@ddelgrosso1
Copy link
Contributor

Hi @bradam12 is this only happening within GKE? Has it been successful in other environments for you?

@bradam12
Copy link
Author

bradam12 commented Oct 27, 2023 via email

@ddelgrosso1
Copy link
Contributor

@bradam12 came across this documentation: https://cloud.google.com/knowledge/kb/unable-to-reach-gke-metadata-server-on-workload-identity-enabled-cluster-000004705 is this inline with your problem?

@ddelgrosso1 ddelgrosso1 self-assigned this Oct 27, 2023
@bradam12
Copy link
Author

Unfortunately does not apply. I'm able to curl to the metadata server to get a token correctly.

@bradam12 bradam12 closed this as not planned Won't fix, can't repro, duplicate, stale Mar 13, 2024
@bradam12
Copy link
Author

bradam12 commented Mar 13, 2024
edited

I'm no longer working in that env. Closing.

@mkherlakian mkherlakian mentioned this issue Apr 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ddelgrosso1 ddelgrosso1

Labels
api: storage Issues related to the googleapis/nodejs-storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bradam12 @ddelgrosso1