Permissions issues with GraalVM for JDK 21

[mpeddada1]

As discovered in #1448, building applications with java-storage-nio is resulting in authentication issues.

Build-time Issues

There is a known issue in GraalVM which results in build-time failures when using FileSystemProviders. Since java-storage-nio has support for FileSystemProviders, it ends up running into similar problems as seen below:

Error: No instances of jdk.internal.misc.InnocuousThread are allowed in the image heap as this class should be initialized at image runtime. To see how this object got instantiated use --trace-object-instantiation=jdk.internal.misc.InnocuousThread.

Also documented in #1447.

Workaround: The workaround as described in oracle/graal#5134 (comment) is to add -H:-AddAllFileSystemProvider and upgrade to GraalVM for JDK 21.

Run-time Issues in GraalVM for JDK 21

The workaround provided above address the build-time issues but it results in the following error at run-time when service account credentials are used for authentication:

org.opentest4j.MultipleFailuresError: Multiple Failures (2 failures)
	com.google.cloud.storage.StorageException: 250644331956-compute@developer.gserviceaccount.com does not have storage.buckets.create access to the Google Cloud project. Permission 'storage.buckets.create' denied on resource (or it may not exist).
	java.util.concurrent.ExecutionException: com.google.cloud.storage.StorageException: The specified bucket does not exist.
         com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:330)
         com.google.cloud.storage.spi.v1.HttpStorageRpc.create(HttpStorageRpc.java:372)
         com.google.cloud.storage.StorageImpl.lambda$create$0(StorageImpl.java:139)
         com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:102)
         com.google.cloud.RetryHelper.run(RetryHelper.java:76)
         [...]
       Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
POST [https://storage.googleapis.com/storage/v1/b?project=gcloud-devel&projection=full](https://www.google.com/url?q=https://storage.googleapis.com/storage/v1/b?project%3Dgcloud-devel%26projection%3Dfull&sa=D)
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "250644331956-compute@developer.gserviceaccount.com does not have storage.buckets.create access to the Google Cloud project. Permission 'storage.buckets.create' denied on resource (or it may not exist).",
    "reason" : "forbidden"
  } ],
  "message" : "250644331956-compute@developer.gserviceaccount.com does not have storage.buckets.create access to the Google Cloud project. Permission 'storage.buckets.create' denied on resource (or it may not exist)."
}
         com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118)
         com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:37)
         com.google.api.client.googleapis.services.AbstractGoogleClientRequest$3.interceptResponse(AbstractGoogleClientRequest.java:479)
         com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1111)
         com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:565)
         [...]

On the other hand, using user credentials works:

========================================================================================================================
Finished generating 'native-tests' in 1m 8s.
[INFO] Executing: /usr/local/google/home/mpeddada/IdeaProjects/java-storage-nio/google-cloud-nio/target/native-tests --xml-output-dir /usr/local/google/home/mpeddada/IdeaProjects/java-storage-nio/google-cloud-nio/target/native-test-reports -Djunit.platform.listeners.uid.tracking.output.dir=/usr/local/google/home/mpeddada/IdeaProjects/java-storage-nio/google-cloud-nio/target/test-ids
JUnit Platform on Native Image - report
----------------------------------------

class com.google.auth.oauth2.UserCredentials
com.google.cloud.storage.contrib.nio.it.ITGcsNio > testCopy_replaceFile_withoutOption SUCCESSFUL


Test run finished after 8376 ms
[         3 containers found      ]
[         0 containers skipped    ]
[         3 containers started    ]
[         0 containers aborted    ]
[         3 containers successful ]
[         0 containers failed     ]
[         1 tests found           ]
[         0 tests skipped         ]
[         1 tests started         ]
[         0 tests aborted         ]
[         1 tests successful      ]
[         0 tests failed          ]

Workaround: Use gcloud auth application-default login for authentication. Authenticating using service account credentials isn't supported out of the box for GraalVM on JDK 21 in java-storage-nio at the moment.