Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application default credentials aren't reloaded on expiration #1632

Open
imathews opened this issue Jan 19, 2024 · 2 comments
Open

Application default credentials aren't reloaded on expiration #1632

imathews opened this issue Jan 19, 2024 · 2 comments
Labels
feature request Feature request: request to add new features or functionality p2 P2

Comments

@imathews
Copy link

Describe the issue
For security purposes, our application default credentials are set to expire every 16 hrs (in local dev environments). When a developer refreshes their credentials, GCS fuse doesn't seem to reload the credential file, and continues to get invalid_grant errors since it is using the old, expired credentials. This requires the additional step of restarting GCSFuse — not the end of the world, but an extra layer of complexity that would ideally be handled by fuse.

To Collect more Debug logs
Steps to reproduce the behavior:

  1. Create application default creations: gcloud auth application-default login
  2. Start GCS fuse, which will use these credentials
  3. Revoke / expire the credentials. GCS fuse will start logging errors.
  4. Refresh the credentials: gcloud auth application-default login
  5. Within a reasonable period of time, we would expect fuse to reload the credentials file and start working again, but it currently doesn't.

System (please complete the following information):

  • OS: Debian 11 (bullseye)
  • Platform: local kubernetes
  • Version: 1.4.0
@imathews imathews added p1 P1 question Customer Issue: question about how to use tool labels Jan 19, 2024
@ashmeenkaur ashmeenkaur self-assigned this Jan 22, 2024
@ashmeenkaur ashmeenkaur added feature request Feature request: request to add new features or functionality p2 P2 and removed question Customer Issue: question about how to use tool p1 P1 labels Jan 24, 2024
@ashmeenkaur ashmeenkaur removed their assignment Jan 29, 2024
@ashmeenkaur
Copy link
Collaborator

Hi @imathews,

Thanks for bringing this to our attention. We're working to determine if we can fix this directly in GCSFuse. We have raised a question for Oauth2 team here. In the meantime, I was wondering if using GCSFuse --token-url flag be a possible work around for you?

Thanks,
Ashmeen

@imathews
Copy link
Author

Thanks @ashmeenkaur. Right now our workaround is to just to restart GCSFuse on token expiration, which is a bit easier (given our dev setup) than passing the --token-url flag. Though that would likely work too.

FWIW, I believe that other google cloud libraries are handling this properly. Specifically, the various GCP node clients (which I believe all rely on https://github.com/googleapis/google-auth-library-nodejs).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Feature request: request to add new features or functionality p2 P2
Projects
None yet
Development

No branches or pull requests

2 participants