Crash when private key is formatted incorrectly #272
Comments
|
Hi Leonard - it seems like a better solution might be storing the path to a private key as an environment variable, rather than the key itself. You can pass that path to gcloud as |
|
Hi Stephen, The reason we're storing the private key as an environment variable is that we're using Managed VMs. This means the key should be retrieved somehow when booting a new VM. Since adding the key file to our repository is not on option (security wise), we choose to add the private key to Compute Engine's MetaData. On startup we request the private key from the MetaData and store it as an environment variable. |
|
Just speaking generally, it's best to keep private data out of public access and global context. But in this case, I'm not very familiar with Managed VMs. Talking with @silvolu, I think he has an idea -- expect to hear from him soon :) |
|
@leonardpunt The service account associated with a Managed VM is pre-authorized to provide access to your project’s default storage bucket and default datastore dataset. |
|
@leonardpunt as an example, gcloud-node-todos "should just work"™ on Managed VMs with no need for keys. |
|
@silvolu I need to connect to the datastore of a different project. But I could store the key file in the project's default storage bucket and download it from there on startup. Would that be a better solution? |
|
@leonardpunt You could also give the Managed VM's service account access to the other project: go to the Developer's Console, choose the other project, and under Permission add the Managed VM's service account email as a member. That should work. |
|
@silvolu I gave the MVM's service account access to the other project and removed the credentials information from the configuration details. I'm only passing the project id along. However I get this error: |
|
@leonardpunt please use the storage based workaround for the moment. I'll investigate as soon as I can and update this bug. |
|
@silvolu In theory the pre-authorization should work. However there is an open issue that this does not. See https://code.google.com/p/googleappengine/issues/detail?id=11380 Thanks for the help! |
|
I realise this is rather untimely but if you would rather use an environment variable to store your key, you can download the key in JSON form, then store it in an environment variable, it will work.
export GCLOUD_KEY='{"private_key_id":"XXX", "private_key":"YYY", "client_email":"ZZZ@ZZZ.COM", "client_id":"ABC123", "type":"service_account"}'
var projectId = process.env.GAE_LONG_APP_ID || process.env.DATASET_ID;
var keyContents = process.env.GCLOUD_KEY;
var gcloud = require('gcloud')({
projectId: projectId,
credentials: JSON.parse(keyContents) // parse the environment variable as JSON
}); |
|
Additionally, the private key is stored in this json blob with newlines just written as "private_key": "-----BEGIN PRIVATE KEY-----\nXXX\nYYY\nZZZ\u003d\n-----END PRIVATE KEY-----\n"Perhaps the |
|
Thanks @ryanseys , that does sound a bit simpler than what we are doing now. I'll have a look after the holidays ;-) |
|
Great @Guuz! Have a great holiday! :) |
|
@silvolu was there anything left to check on for this issue? |
|
I'm going to close this because I got it to work with the environment variable with some changes to the encoding in #272 (comment) and we now have safe guards in place to prevent cryptic errors from arising and confusing the developers. I don't think @silvolu has any reason to investigate or raise this issue further. |
jgeewax
added
auth
type: bug
yoshi-automation
added
🚨
* chore(main): release 3.1.1 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
🤖 I have created a release \*beep\* \*boop\* --- ## [2.5.0](https://github.com/googleapis/nodejs-cloudbuild/compare/v2.4.0...v2.5.0) (2021-08-23) ### Features * turns on self-signed JWT feature flag ([#271](https://github.com/googleapis/nodejs-cloudbuild/issues/271)) ([dcb970d](https://github.com/googleapis/nodejs-cloudbuild/commit/dcb970d8a6a7d87da553667cd25f8eb1052ba047)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
* chore(main): release 3.1.0 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
* feat!: Update library to use Node 12 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [3.0.0](googleapis/nodejs-bigquery-storage@v2.8.0...v3.0.0) (2022-06-29) ### ⚠ BREAKING CHANGES * update library to use Node 12 (#272) ### Features * Deprecate format specific `row_count` field in Read API ([#249](googleapis/nodejs-bigquery-storage#249)) ([fb8acf1](googleapis/nodejs-bigquery-storage@fb8acf1)) ### Bug Fixes * fixes for dynamic routing and streaming descriptors ([#274](googleapis/nodejs-bigquery-storage#274)) ([4271ea0](googleapis/nodejs-bigquery-storage@4271ea0)) * Modify client lib retry policy for CreateWriteStream with longer backoff, more error code and longer overall time ([#279](googleapis/nodejs-bigquery-storage#279)) ([849cc23](googleapis/nodejs-bigquery-storage@849cc23)) ### Build System * update library to use Node 12 ([#272](googleapis/nodejs-bigquery-storage#272)) ([5e774e6](googleapis/nodejs-bigquery-storage@5e774e6)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
gcr.io/repo-automation-bots/owlbot-nodejs:latest@sha256:f93bb861d6f12574437bb9aee426b71eafd63b419669ff0ed029f4b7e7162e3f
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [uuid](https://github.com/uuidjs/uuid) | devDependencies | major | [`^7.0.2` -> `^8.0.0`](https://renovatebot.com/diffs/npm/uuid/7.0.3/8.0.0) | --- ### Release Notes <details> <summary>uuidjs/uuid</summary> ### [`v8.0.0`](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md#​800-httpsgithubcomuuidjsuuidcomparev703v800-2020-04-29) [Compare Source](https://github.com/uuidjs/uuid/compare/v7.0.3...v8.0.0) ##### ⚠ BREAKING CHANGES - For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export. ```diff -import uuid from 'uuid'; -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869' +import { v4 as uuidv4 } from 'uuid'; +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d' ``` - Deep requiring specific algorithms of this library like `require('uuid/v4')`, which has been deprecated in `uuid@7`, is no longer supported. Instead use the named exports that this module exports. For ECMAScript Modules (ESM): ```diff -import uuidv4 from 'uuid/v4'; +import { v4 as uuidv4 } from 'uuid'; uuidv4(); ``` For CommonJS: ```diff -const uuidv4 = require('uuid/v4'); +const { v4: uuidv4 } = require('uuid'); uuidv4(); ``` ##### Features - native Node.js ES Modules (wrapper approach) ([#​423](https://github.com/uuidjs/uuid/issues/423)) ([2d9f590](https://github.com/uuidjs/uuid/commit/2d9f590ad9701d692625c07ed62f0a0f91227991)), closes [#​245](https://github.com/uuidjs/uuid/issues/245) [#​419](https://github.com/uuidjs/uuid/issues/419) [#​342](https://github.com/uuidjs/uuid/issues/342) - remove deep requires ([#​426](https://github.com/uuidjs/uuid/issues/426)) ([daf72b8](https://github.com/uuidjs/uuid/commit/daf72b84ceb20272a81bb5fbddb05dd95922cbba)) ##### Bug Fixes - add CommonJS syntax example to README quickstart section ([#​417](https://github.com/uuidjs/uuid/issues/417)) ([e0ec840](https://github.com/uuidjs/uuid/commit/e0ec8402c7ad44b7ef0453036c612f5db513fda0)) ##### [7.0.3](https://github.com/uuidjs/uuid/compare/v7.0.2...v7.0.3) (2020-03-31) ##### Bug Fixes - make deep require deprecation warning work in browsers ([#​409](https://github.com/uuidjs/uuid/issues/409)) ([4b71107](https://github.com/uuidjs/uuid/commit/4b71107d8c0d2ef56861ede6403fc9dc35a1e6bf)), closes [#​408](https://github.com/uuidjs/uuid/issues/408) ##### [7.0.2](https://github.com/uuidjs/uuid/compare/v7.0.1...v7.0.2) (2020-03-04) ##### Bug Fixes - make access to msCrypto consistent ([#​393](https://github.com/uuidjs/uuid/issues/393)) ([8bf2a20](https://github.com/uuidjs/uuid/commit/8bf2a20f3565df743da7215eebdbada9d2df118c)) - simplify link in deprecation warning ([#​391](https://github.com/uuidjs/uuid/issues/391)) ([bb2c8e4](https://github.com/uuidjs/uuid/commit/bb2c8e4e9f4c5f9c1eaaf3ea59710c633cd90cb7)) - update links to match content in readme ([#​386](https://github.com/uuidjs/uuid/issues/386)) ([44f2f86](https://github.com/uuidjs/uuid/commit/44f2f86e9d2bbf14ee5f0f00f72a3db1292666d4)) ##### [7.0.1](https://github.com/uuidjs/uuid/compare/v7.0.0...v7.0.1) (2020-02-25) ##### Bug Fixes - clean up esm builds for node and browser ([#​383](https://github.com/uuidjs/uuid/issues/383)) ([59e6a49](https://github.com/uuidjs/uuid/commit/59e6a49e7ce7b3e8fb0f3ee52b9daae72af467dc)) - provide browser versions independent from module system ([#​380](https://github.com/uuidjs/uuid/issues/380)) ([4344a22](https://github.com/uuidjs/uuid/commit/4344a22e7aed33be8627eeaaf05360f256a21753)), closes [#​378](https://github.com/uuidjs/uuid/issues/378) </details> --- ### Renovate configuration :date: **Schedule**: "after 9am and before 3pm" (UTC). :vertical_traffic_light: **Automerge**: Disabled by config. Please merge this manually once you are satisfied. :recycle: **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. :no_bell: **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#googleapis/nodejs-security-center).
🤖 I have created a release \*beep\* \*boop\* --- ### [2.3.4](https://github.com/googleapis/nodejs-datacatalog/compare/v2.3.3...v2.3.4) (2021-07-21) ### Bug Fixes * **deps:** google-gax v2.17.1 ([#272](https://github.com/googleapis/nodejs-datacatalog/issues/272)) ([62ffcc6](https://github.com/googleapis/nodejs-datacatalog/commit/62ffcc6fd9a5b68936a57c1ac5a041527e38fec3)) * Updating WORKSPACE files to use the newest version of the Typescript generator. ([#274](https://github.com/googleapis/nodejs-datacatalog/issues/274)) ([3ebafcd](https://github.com/googleapis/nodejs-datacatalog/commit/3ebafcdbfaf50ff96f9d828e33cc355af33a7000)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Hi,
The library (v0.9.0) crashes when a private key is formatted incorrectly. Examples are if the private key is a literal with \n characters, or if the newlines are replaced with spaces.
The following error is thrown:
Also, it would be nice if the library could handle some alternative formats of a private key, like spaces instead of newlines. We're retrieving our private key from a environment variable and environment variables can't be multiline. So right now we have to denote newlines with some character and replace them with newlines in our code.
Kind regards,
Leonard
The text was updated successfully, but these errors were encountered: