-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compute: unable to read metadata from GKE #2750
Comments
Thanks for the report, I will investigate and get back to you. |
I tried a few different things, but they all seemed to work for me.
Could you please provide me the following so I can better assist you here:
|
The master is running on
Right now we have
No |
We seem to be getting the same behavior with Also, we're running Go 1.14 inside a docker image based of scratch. Nothing out of the ordinary. This is the code we're running to try and obtain the ID token package foo
import (
"context"
"fmt"
"cloud.google.com/go/compute/metadata"
)
// MetadataIdentityProvider - defines the functionality for retreiving an identity token from
// the Google Computer Engine metadata service.
type MetadataIdentityProvider struct {
}
// NewMetadataIdentityProvider - creates a new NewMetadataIdentityProvider instance.
func NewMetadataIdentityProvider() *MetadataIdentityProvider {
return &MetadataIdentityProvider{}
}
// GetToken - gets the token for the specified endpoint.
func (p *MetadataIdentityProvider) GetToken(ctx context.Context, endpoint string) (string, error) {
url := fmt.Sprintf("/instance/service-accounts/default/identity?audience=%s", endpoint)
token, err := metadata.Get(url)
if err != nil {
return "", err
}
return token, nil
} We do pass in a valid value for the |
Thanks for all of the extra info and providing a code example. Looking at your code I believe if you change the following line it should work. url := fmt.Sprintf("instance/service-accounts/default/identity?audience=%s", endpoint) Removed the leading |
Note, in the next release a leading slash will be removed so this function is less error prone. |
@codyoss I can confirm that removing the leading |
Glad I could help 😄 |
Client
Metadata
Environment
Google Kubernetes Engine
Expected behavior
Be able to retrieve an ID token from the metadata server when running inside GKE
Actual behavior
When following the code example (Go) for Cloud Run service-to-service authentication at https://cloud.google.com/run/docs/authenticating/service-to-service I keep getting an error when trying to retrieve an ID token when running inside GKE. I.e my caller is living in GKE and it needs to call a Cloud Run hosted service. When I try and retrieve the ID token I get the following error
However, if I manually ssh into the Kubernetes node and curl (by directly calling http://metadata.google.internal) the metadata server then I can get the ID token
The text was updated successfully, but these errors were encountered: