Open
Description
Please make sure you have searched for information in the following guides.
- Search the issues already opened: https://github.com/GoogleCloudPlatform/google-cloud-node/issues
- Search StackOverflow: http://stackoverflow.com/questions/tagged/google-cloud-platform+node.js
- Check our Troubleshooting guide: https://github.com/googleapis/google-cloud-node/blob/main/docs/troubleshooting.md
- Check our FAQ: https://github.com/googleapis/google-cloud-node/blob/main/docs/faq.md
- Check our libraries HOW-TO: https://github.com/googleapis/gax-nodejs/blob/main/client-libraries.md
- Check out our authentication guide: https://github.com/googleapis/google-auth-library-nodejs
- Check out handwritten samples for many of our APIs: https://github.com/GoogleCloudPlatform/nodejs-docs-samples
A screenshot that you have tested with "Try this API".
N/A
Link to the code that reproduces this issue. A link to a public Github Repository or gist with a minimal reproduction.
https://github.com/googleapis/google-auth-library-nodejs/blob/main/src/auth/jwtclient.ts#L311
A step-by-step description of how to reproduce the issue, based on the linked reproduction.
var log4js = require("log4js");
var logger = log4js.getLogger();
const {GoogleAuth, JWTAccess, OAuth2Client, JWT, JWTInput} = require('google-auth-library');
const {PubSub, ClientConfig} = require('@google-cloud/pubsub');
jkey = require("../certs/jwt-access-svc-account.json");
const projectId = 'core-eso';
/// client from either
const client = new JWTAccess(
jkey.client_email,
jkey.private_key,
jkey.private_key_id
);
client.useJWTAccessWithScope = true;
// or
const client = new JWT({
email: jkey.client_email,
key: jkey.private_key,
scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});
const pubsub = new PubSub({
credentials: client,
projectId: projectId
});
pubsub.getTopics((err, topic) => {
if (err) {
console.log(err);
return;
}
topic.forEach(function(entry) {
logger.info(entry.name);
});
});{
"name": "myapp",
"version": "0.0.0",
"scripts": {
"start": "node app.js"
},
"dependencies": {
"@google-cloud/pubsub": "4.11.0",
"@google-cloud/storage": "7.16.0",
"google-auth-library": "^9.15.1",
"googleapis": "^148.0.0",
"log4js": "^0.6.27"
}
}A clear and concise description of what the bug is, and what you expected to happen.
JWTAccess tokens derived from service account keys as described here
seems to transpose or use incorrect json fields.
For example, if you initialize any of the clients JWTAccess or JWT as shown in the repro section and run it, you'll initially see
Error: The incoming JSON object does not contain a client_email field
The JSON service account file definately has the client_email but it seems to get mismatched somewhere here
such that the client_email is transposed to email and private_key is email,
so if you alter the code there above to to change the names, the client is authenticated properly.
Essentially, it seems somewhere in the codebase, the svc account's json field names are changed; the fix was to update jwtclient.js so that
client_email=>emailprivate_key=>key
fromJSON(json) {
console.log(json)
if (!json) {
throw new Error('Must pass in a JSON object containing the service account auth settings.');
}
if (!json.email) {
throw new Error('The incoming JSON object does not contain a client_email field');
}
if (!json.key) {
throw new Error('The incoming JSON object does not contain a private_key field');
}
// Extract the relevant information from the json key file.
this.email = json.email;
this.key = json.key;
this.keyId = json.private_key_id;
this.projectId = json.project_id;
this.quotaProjectId = json.quota_project_id;
this.universeDomain = json.universe_domain || this.universeDomain;
}