Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getSignedUrl with Cloud Functions giving “SigningError: Failure from metadata server” #150

Closed
jsambuo opened this issue Mar 12, 2018 · 9 comments
Closed

getSignedUrl with Cloud Functions giving “SigningError: Failure from metadata server” #150

jsambuo opened this issue Mar 12, 2018 · 9 comments
Assignees
@stephenplusplus
Labels
api: storage Issues related to the googleapis/nodejs-storage API. 🚨 This issue needs some love. triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@jsambuo
Copy link

jsambuo commented Mar 12, 2018

Hi,

I noticed an issue when using @google-cloud/storage 1.6.0, that doesn't exist in 1.5.2.
I'm using Google Cloud Functions with getSignedUrl to upload files into storage. I was getting this error:

{ SigningError: Failure from metadata server.
at /user_code/node_modules/@google-cloud/storage/src/file.js:1715:16
at getCredentials (/user_code/node_modules/@google-cloud/storage/node_modules/google-auto-auth/index.js:264:9)
at googleAuthClient.getCredentials (/user_code/node_modules/@google-cloud/storage/node_modules/google-auto-auth/index.js:148:11)
at process._tickDomainCallback (internal/process/next_tick.js:135:7) message: 'Failure from metadata server.' }

When I downgrade to 1.5.2, the issue goes away.

My index.js looks like this:

const storage = require('@google-cloud/storage')();

exports.getSignedUrl = (req, res) => {

    if(req.method === 'POST') {

        // Perform any authorization checks here to assert
        // that the end user is authorized to upload.

        const myBucket = storage.bucket('my-bucket-name');
        const myFile = myBucket.file(req.body.filename);
        const contentType = req.body.contentType;

        // This link should only last 5 minutes
        const expiresAtMs = Date.now() + 300000;
        const config = {
            action: 'write',
            expires: expiresAtMs,
            contentType: contentType
        };

        myFile.getSignedUrl(config, function(err, url) {
            if (err) {
                console.error(err);
                res.status(500).end();
                return;
            }
            res.send(url);
        });
    } else {
        res.status(405).end();
    }
}

My package.json looks like this:

{
  "name": "sample-http",
  "version": "0.0.1",
  "dependencies": {
    "@google-cloud/storage": "1.5.2"
  }
}

After finding out that 1.5.2 works, I did not look further into this. I'm not sure if this was intentional, or if something in GCF needs to get updated. I'm opening this issue in case this is an unknown bug, and to let others know of a workaround.

https://serverfault.com/q/901144/460159
@stephenplusplus stephenplusplus added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Mar 12, 2018
@stephenplusplus stephenplusplus self-assigned this Mar 12, 2018
@stephenplusplus stephenplusplus mentioned this issue Mar 13, 2018
Closed
@stephenplusplus
Copy link
Contributor

I tried this using only google-auth-library and was able to reproduce-- issue opened here: googleapis/google-auth-library-nodejs#321. Feel free to subscribe to the issue over there to follow what we figure out. Otherwise, I'll update here when I hear back.

@stephenplusplus stephenplusplus added the status: blocked Resolving the issue is dependent on other work. label Mar 13, 2018
@stephenplusplus
Copy link
Contributor

The issue was resolved upstream in google-auth-library, and is effectively fixed for all new deploys to GCF. Thanks for reporting!

@ghost ghost removed the priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. label Mar 14, 2018
@stephenplusplus stephenplusplus added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. and removed status: blocked Resolving the issue is dependent on other work. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Mar 14, 2018
@rscotten
Copy link

rscotten commented Mar 29, 2018
edited
Loading

I resolved this error by adding the "Cloud Functions Service Agent" role to my service account.

https://console.cloud.google.com/iam-admin/iam

screen shot 2018-03-29 at 10 40 58 am
screen shot 2018-03-29 at 10 40 33 am

@weidongyu
Copy link

@rscotten Perfect Solution. I meet this issue while using firebase cloud function calling getSignedUrl().
Thanks a lot.

@matjazonline
Copy link

Just to make sure I had to add this role (from @rscotten answer) to my "App Engine default service account"

@anilgithub2018
Copy link

It fixed my issue by adding following role to default app engine user

Service Account Token Creator

@marlonramon
Copy link

I have same error only when call a lot of promises to call getSignedUrl
`const listPromisses = await otherList.map(async row => {
list = row.list.map(async instance => {

const bucketName = "hot.ignore.com";

const [signedUrls] = await storage.bucket(bucketName)
					.file("fileName")
					.getSignedUrl(options)

const httpURL = signedUrls.replace('https', 'http');
instance.signedUrl = httpURL;

return instance;

})

const values = await Promise.all(listPromisses);`

i have 3k promises.

@google-cloud-label-sync google-cloud-label-sync bot added the api: storage Issues related to the googleapis/nodejs-storage API. label Jan 31, 2020
@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Apr 6, 2020
@jorg1piano
Copy link

Just to make sure I had to add this role (from @rscotten answer) to my "App Engine default service account"

Like mentioned you have to add it to the default service account as well... When using firebase even when initializing your app using a different "serviceAccountId" I had to add it to the default account to make URL signing work.

Life savior change @matjazonline thanks 👍

@jaredm4
Copy link

jaredm4 commented Apr 22, 2021

The GCP docs say not to use Service Agent roles on your own Service Accounts.

Warning: Do not grant service agent roles to other users, groups, or service accounts. The permissions within these roles might change without notice. Instead, choose a different predefined role, or create a custom role with the permissions you need.

I looped in GCP support and found the missing role needed was roles/iam.serviceAccountTokenCreator (on top of the standard object viewer role).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephenplusplus stephenplusplus

Labels
api: storage Issues related to the googleapis/nodejs-storage API. 🚨 This issue needs some love. triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@stephenplusplus @marlonramon @jaredm4 @matjazonline @jsambuo @weidongyu @rscotten @jorg1piano @anilgithub2018 @yoshi-automation