credentials/google/google: missing OAuth scopes for ADC #7886
Assignees
Labels
Area: Auth
Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc.
Type: Bug
Comments
|
Thanks for reporting this issue and the fix (#7887). I've added people to review the fix. |
arjan-bal
added
the
Area: Auth
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of gRPC are you using?
v1.68.0, with and without cherry-picked #7845
What version of Go are you using (
go version)?go version go1.23.2 linux/amd64
What operating system (Linux, Windows, …) and version?
Debian GNU/Linux 12 (bookworm)
What did you do?
Deployed gRPC apps in a Kubernetes cluster running off Google Cloud.
Configured gRPC xDS bootstrap with
server_urivaluedns:///trafficdirector.googleapis.com:443andchannel_creds.typevaluegoogle_default.Created a workload identity pool and provider by following the guide Configure Workload Identity Federation with Kubernetes. Used direct resource access, not IAM service account impersonation.
Configured Application Default Credentials (ADC) on the Pods by setting the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable pointing to a credentials configuration file and mounting aserviceAccountTokenprojected volume with anaudiencevalue referencing the workload identity pool provider.Verified the ADC setup by creating the
examplePod from the guide Configure Workload Identity Federation with Kubernetes, section "Deploy the Kubernetes workload", and successfully obtained a token.What did you expect to see?
The gRPC applications should successfully authenticate to Traffic Director using Application Default Credentials (ADC) and Workload Identity Federation, and start the ADS stream.
What did you see instead?
Using grpc-go
v1.68.0(so before credentials: remove the context timeout to fix token request failure with non-GCE ADC #7845 was merged to fix credentials/google/google not working with oauth2 and ADC #6285):context cancelederror when obtaining a token fromsts.googleapis.comas part of setting up the ADS stream:transport/transport.go:336] "[xds][xds-client 0xc0000a8540] [trafficdirector.googleapis.com:443] Creating new ADS stream failed: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2/google: invalid response from Secure Token Server: Post \"https://sts.googleapis.com/v1/token\": context canceled"After cherry-picking PR credentials: remove the context timeout to fix token request failure with non-GCE ADC #7845 to fix credentials/google/google not working with oauth2 and ADC #6285: Error when authenticating to Traffic Director because no OAuth scopes were provided:
transport/transport.go:336] "[xds][xds-client 0xc000400360] [trafficdirector.googleapis.com:443] Creating new ADS stream failed: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2/google: status code 400: {\"error\":\"invalid_request\",\"error_description\":\"Scope(s) must be provided.\"}"Related issues and PRs
#6285 credentials/google/google not working with oauth2 and ADC
#7845 credentials: remove the context timeout to fix token request failure with non-GCE ADC
The text was updated successfully, but these errors were encountered: