-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default credentials fail to detect running on GCP when ADC env var is empty #983
Default credentials fail to detect running on GCP when ADC env var is empty #983
Comments
Hi @mbrancato, Could you describe how you attached service account? This doc provides a few ways: https://cloud.google.com/docs/authentication/provide-credentials-adc#containerized For example, if you use work identity for GKE and network policy is enabled, this troubleshooting page might be helpful: https://cloud.google.com/knowledge/kb/defaultcredentialserror-with-workload-identity-000004712. |
Also wondering what does |
Yes, we're using GKE workload identity. Everything works fine if I unset the You can create an empty env var by doing this:
The Dockerfile spec does not have a way to "unset" an env var, only clear its value from the layer making it empty. I was setting the ADC env var to a file path, then later clearing it. This left the env var set in the environment, but empty. Manually running I ran the following in a temporary python container to illustrate the issue. All commands were performed after running
|
I'm not an expert on Dockerfile, but when you I'm going to close this as this is not an issue for pubsub python client library. |
Wow ok. I'm saying this is a behavioral bug in how the pubsub auth process determines what creds to use. If the ADC env var exists but is empty, the auth should ignore it as if it does not exist. I'm not sure why this is so confusing. I'm not taking about a programming language's interpretation of an env var, all env vars are strings. |
Well the authentication is actually taken care of by google-auth(https://github.com/googleapis/google-auth-library-python). You can open an issue there if you think it is a bug. (Oh you already did this so nvm :)) |
In the final layer of a container, it is pretty common to clear out env vars by setting them to empty. When
GOOGLE_APPLICATION_CREDENTIALS
exists but is empty (e.g. after pulling packages from Google Artifact Registry), the default credentials for the pubsub transport fails to use the assigned service account / metadata server.Environment details
Linux 5.10.176+
Python 3.11.2
pip 23.0.1 from /usr/lib/python3/dist-packages/pip (python 3.11)
google-cloud-pubsub
version:2.18.3
Steps to reproduce
Code example
Stack trace
The text was updated successfully, but these errors were encountered: