ComputeEngineCredentials does not handle error response from the metadata server correctly #1409
Labels
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
ComputeEngineCredentials
assumes that the response from from the metadata server is either200
or503
:This is not necessarily true. For example, on GKE, when Workload Identity Federation is used, one needs to bind the k8s service account to an IAM service account in order to receive an OIDC token by calling
idTokenWithAudience
. Without the binding, the metadata server returns a404
with the following body:The
404
code is silently ignored and the response body (i. e. the error message above) was then treated as the base64-encoded ID token, which causes the decoding step to fail:I had to manually send recreate the HTTP request to the metadata server to obtain the response body and understand the problem, as
java.lang.IllegalArgumentException: com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: 0x20
is not helpful at all.In my opinion
getMetadataResponse
should throw (with the message body, if present) whenever the response code is not200
, instead of only throwing for503
.The text was updated successfully, but these errors were encountered: