-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bazel doesn't get Google Application Default Credentials correctly #3460
Comments
@huahang if you would like to fix this ... we love contributions :-)! Let me know! |
@buchgr Is there a reason that Bazel has any custom handling of the GOOGLE_APPLICATION_CREDENTIALS environment variable at all? I would have expected it to depend on GoogleCredentials.getApplicationDefault(...) to select the appropriate credentials source? |
@pmcalpine I don't think so. AFAIK it's been there since before I joined, so I can't say for sure, but we might not have been using google's auth library initially. Anyway, I think it's safe to remove and we will include this in the next release. |
Great to hear that. Thanks a lot @buchgr! |
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
#3486 BES and Remote Execution have separate implementations of gRPC channel creation, authentication and TLS. We should merge them, to avoid duplication and bugs. One such bug is #3640, where the BES code had a different implementation for Google Application Default Credentials. RELNOTES: The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. PiperOrigin-RevId: 164253879
Baseline: 6563b2d Cherry picks: + d4fa181: Use getExecPathString when getting bash_main_file + 837e1b3: Windows, sh_bin. launcher: export runfiles envvars + fe9ba89: grpc: Consolidate gRPC code from BES and Remote Execution. Fixes #3460, #3486 + e8d4366: Automated rollback of commit 496d3de. + 242a434: bes,remote: update default auth scope. + 793b409: Windows, sh_bin. launcher: fix manifest path + 7e4fbbe: Add --windows_exe_launcher option + 91fb38e: remote_worker: Serialize fork() calls. Fixes #3356 + b79a9fc: Quote python_path and launcher in python_stub_template_windows.txt + 4a2e17f: Add build_windows_jni.sh back + ce61d63: don't use methods and classes removed in upstream dx RELNOTES: update dexing tools to Android SDK 26.0.1 + 5393a49: Make Bazel enforce requirement on build-tools 26.0.1 or later. + 5fac03570f80856c063c6019f5beb3bdc1672dee: Fix --verbose_failures w/ sandboxing to print the full command line + f7bd1acf1f96bb7e3e19edb9483d9e07eb5af070: Only patch in C++ compile features when they are not already defined in crosstool + d7f5c12: Bump python-gflags to 3.1.0, take two + 3cb136d: Add python to bazel's dockerfiles New features: - Do not disable fully dynamic linking with ThinLTO when invoked via LIPO options. Important changes: - Ignore --glibc in the Android transition. - Remove --experimental_android_use_singlejar_for_multidex. - nocopts now also filter copts - The Build Event Service (BES) client now properly supports Google Applicaton Default Credentials. - update dexing tools to Android SDK 26.0.1 - Bazel Android support now requires build-tools 26.0.1 or later. - Fix a bug in the remote_worker that would at times make it crash on Linux. See #3356 - The java_proto_library rule now supports generated sources. See #2265
When getting the application default credentials, google-auth-library-java searches from five different sources in order (see doc and code) :
However, currently Bazel checks the first source only: If environment variable "GOOGLE_APPLICATION_CREDENTIALS" is empty, it simply returns null. This means we have to always provide the json credential file in order to upload build events to BES.
I did the following experiment:
!isNullOrEmpty(getenv(DEFAULT_APP_CREDENTIALS_ENV_VAR)
and ran the above the same command.The text was updated successfully, but these errors were encountered: