Skip to content

Commit

Permalink
use GCE metadata server env var overrides (#6015)
Browse files Browse the repository at this point in the history 
* use GCE metadata env var overrides

* update docs

Co-authored-by: Andrew Lamb <andrew@nerdnetworks.org>

---------

Co-authored-by: Andrew Lamb <andrew@nerdnetworks.org>
  • Loading branch information
@barronw @alamb
barronw and alamb authored Jul 17, 2024
1 parent 4978e32 commit 94652e5
Showing 1 changed file with 40 additions and 8 deletions.
48 changes: 40 additions & 8 deletions object_store/src/gcp/credential.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ pub const DEFAULT_GCS_BASE_URL: &str = "https://storage.googleapis.com";
const DEFAULT_GCS_PLAYLOAD_STRING: &str = "UNSIGNED-PAYLOAD";
const DEFAULT_GCS_SIGN_BLOB_HOST: &str = "storage.googleapis.com";

const DEFAULT_METADATA_HOST: &str = "metadata.google.internal";
const DEFAULT_METADATA_IP: &str = "169.254.169.254";

#[derive(Debug, Snafu)]
pub enum Error {
#[snafu(display("Unable to open service account file from {}: {}", path.display(), source))]
Expand Down Expand Up @@ -414,17 +417,31 @@ impl TokenProvider for InstanceCredentialProvider {

/// Fetch a token from the metadata server.
/// Since the connection is local we need to enable http access and don't actually use the client object passed in.
/// Respects the `GCE_METADATA_HOST`, `GCE_METADATA_ROOT`, and `GCE_METADATA_IP`
/// environment variables.
///
/// References: <https://googleapis.dev/python/google-auth/latest/reference/google.auth.environment_vars.html>
async fn fetch_token(
&self,
client: &Client,
retry: &RetryConfig,
) -> crate::Result<TemporaryToken<Arc<GcpCredential>>> {
const METADATA_IP: &str = "169.254.169.254";
const METADATA_HOST: &str = "metadata";
let metadata_host = if let Ok(host) = env::var("GCE_METADATA_HOST") {
host
} else if let Ok(host) = env::var("GCE_METADATA_ROOT") {
host
} else {
DEFAULT_METADATA_HOST.to_string()
};
let metadata_ip = if let Ok(ip) = env::var("GCE_METADATA_IP") {
ip
} else {
DEFAULT_METADATA_IP.to_string()
};

info!("fetching token from metadata server");
let response = make_metadata_request(client, METADATA_HOST, retry)
.or_else(|_| make_metadata_request(client, METADATA_IP, retry))
let response = make_metadata_request(client, &metadata_host, retry)
.or_else(|_| make_metadata_request(client, &metadata_ip, retry))
.await?;

let token = TemporaryToken {
Expand Down Expand Up @@ -469,18 +486,33 @@ impl TokenProvider for InstanceSigningCredentialProvider {

/// Fetch a token from the metadata server.
/// Since the connection is local we need to enable http access and don't actually use the client object passed in.
/// Respects the `GCE_METADATA_HOST`, `GCE_METADATA_ROOT`, and `GCE_METADATA_IP`
/// environment variables.
///
/// References: <https://googleapis.dev/python/google-auth/latest/reference/google.auth.environment_vars.html>
async fn fetch_token(
&self,
client: &Client,
retry: &RetryConfig,
) -> crate::Result<TemporaryToken<Arc<GcpSigningCredential>>> {
const METADATA_IP: &str = "169.254.169.254";
const METADATA_HOST: &str = "metadata";
let metadata_host = if let Ok(host) = env::var("GCE_METADATA_HOST") {
host
} else if let Ok(host) = env::var("GCE_METADATA_ROOT") {
host
} else {
DEFAULT_METADATA_HOST.to_string()
};

let metadata_ip = if let Ok(ip) = env::var("GCE_METADATA_IP") {
ip
} else {
DEFAULT_METADATA_IP.to_string()
};

info!("fetching token from metadata server");

let email = make_metadata_request_for_email(client, METADATA_HOST, retry)
.or_else(|_| make_metadata_request_for_email(client, METADATA_IP, retry))
let email = make_metadata_request_for_email(client, &metadata_host, retry)
.or_else(|_| make_metadata_request_for_email(client, &metadata_ip, retry))
.await?;

let token = TemporaryToken {
Expand Down

0 comments on commit 94652e5

Please sign in to comment.