Bazel doesn't get Google Application Default Credentials correctly #3460
Assignees
Labels
P1
I'll work on this now. (Assignee required)
Comments
buchgr
added
category: service APIs
P1
|
@huahang if you would like to fix this ... we love contributions :-)! Let me know! |
|
@buchgr Is there a reason that Bazel has any custom handling of the GOOGLE_APPLICATION_CREDENTIALS environment variable at all? I would have expected it to depend on GoogleCredentials.getApplicationDefault(...) to select the appropriate credentials source? |
|
@pmcalpine I don't think so. AFAIK it's been there since before I joined, so I can't say for sure, but we might not have been using google's auth library initially. Anyway, I think it's safe to remove and we will include this in the next release. |
|
Great to hear that. Thanks a lot @buchgr! |
buchgr
added a commit
that referenced
this issue
Aug 7, 2017
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
buchgr
added a commit
that referenced
this issue
Aug 11, 2017
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
buchgr
added a commit
that referenced
this issue
Aug 21, 2017
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
buchgr
added a commit
that referenced
this issue
Aug 22, 2017
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
bazel-io
pushed a commit
that referenced
this issue
Aug 25, 2017
Baseline: 6563b2d Cherry picks: + d4fa181: Use getExecPathString when getting bash_main_file + 837e1b3: Windows, sh_bin. launcher: export runfiles envvars + fe9ba89: grpc: Consolidate gRPC code from BES and Remote Execution. Fixes #3460, #3486 + e8d4366: Automated rollback of commit 496d3de. + 242a434: bes,remote: update default auth scope. + 793b409: Windows, sh_bin. launcher: fix manifest path + 7e4fbbe: Add --windows_exe_launcher option + 91fb38e: remote_worker: Serialize fork() calls. Fixes #3356 + b79a9fc: Quote python_path and launcher in python_stub_template_windows.txt + 4a2e17f: Add build_windows_jni.sh back + ce61d63: don't use methods and classes removed in upstream dx RELNOTES: update dexing tools to Android SDK 26.0.1 + 5393a49: Make Bazel enforce requirement on build-tools 26.0.1 or later. + 5fac03570f80856c063c6019f5beb3bdc1672dee: Fix --verbose_failures w/ sandboxing to print the full command line + f7bd1acf1f96bb7e3e19edb9483d9e07eb5af070: Only patch in C++ compile features when they are not already defined in crosstool + d7f5c12: Bump python-gflags to 3.1.0, take two + 3cb136d: Add python to bazel's dockerfiles New features: - Do not disable fully dynamic linking with ThinLTO when invoked via LIPO options. Important changes: - Ignore --glibc in the Android transition. - Remove --experimental_android_use_singlejar_for_multidex. - nocopts now also filter copts - The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. - update dexing tools to Android SDK 26.0.1 - Bazel Android support now requires build-tools 26.0.1 or later. - Fix a bug in the remote_worker that would at times make it crash on Linux. See #3356 - The java_proto_library rule now supports generated sources. See #2265
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When getting the application default credentials, google-auth-library-java searches from five different sources in order (see doc and code) :
However, currently Bazel checks the first source only: If environment variable "GOOGLE_APPLICATION_CREDENTIALS" is empty, it simply returns null. This means we have to always provide the json credential file in order to upload build events to BES.
I did the following experiment:
!isNullOrEmpty(getenv(DEFAULT_APP_CREDENTIALS_ENV_VAR)and ran the above the same command.The text was updated successfully, but these errors were encountered: