cloud-code-intellij icon indicating copy to clipboard operation
cloud-code-intellij copied to clipboard
verified publisher icon GoogleCloudPlatform

Alternative way to log in via Service Account key file

Open wonsuc opened this issue 4 years ago • 4 comments

My company's network condition is behind a proxy and I have an issue logging in with Cloud Code prompt popup.

After I logged in on the browser which is automatically opened, the popup progress bar stops while the OK button is disabled and I can only click the Cancel button.

From PowerShell, I also couldn't log in with the command gcloud init or gcloud auth login. It shows error messages like below.

ERROR: gcloud crashed (SSLError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

I set up every proxy property and added CA certifications via core/custom_ca_certs_file but I couldn't succeed while every other command works.

So I had to use gcloud auth activate-service-account [email protected] --key-file="C:\...paths...\service-account.json" to login from Google Cloud SDK CLI.

I actually thought if I log in from CLI then the Cloud Code plugin uses the same authentication and doesn't need to log in from the plugin but it was not the same as my thought.

I wonder if there is an alternative option such as gcloud auth activate-service-account from CLI.

Thank you.

wonsuc avatar Jul 30 '21 08:07 wonsuc

Thanks for the report @wonsuc, this is an interesting scenario. Cloud Code needs standard credentials for some of the libraries we use, but we can definitely take a look into service account scenarios. To get a bit more information on your setup, what happens if you call these commands from CLI: gcloud auth list and gcloud auth describe "you account name"? First command should give you a list of your accounts (or service accounts), and second should give a list of access tokens for a given account name. You don't need to give us the exact list to avoid sharing private information, just general description.

Also, it would be great to take a look at your IDE logs (Menu -> Help -> Show Log in Finder) - please attach them to this issue if you could. Thanks!

ivanporty avatar Jul 30 '21 13:07 ivanporty

Thanks for the report @wonsuc, this is an interesting scenario. Cloud Code needs standard credentials for some of the libraries we use, but we can definitely take a look into service account scenarios. To get a bit more information on your setup, what happens if you call these commands from CLI: gcloud auth list and gcloud auth describe "you account name"? First command should give you a list of your accounts (or service accounts), and second should give a list of access tokens for a given account name. You don't need to give us the exact list to avoid sharing private information, just general description.

Thank you and here you go. I replaced my personal information with (...).

PS C:\Users\wonsuc.id> gcloud auth list
                   Credentialed Accounts
ACTIVE  ACCOUNT
*       (...)@appspot.gserviceaccount.com

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

PS C:\Users\wonsuc.id> gcloud auth describe (...)@appspot.gserviceaccount.com
_additional_claims: {}
_always_use_jwt_access: false
_id_token: (...)
_jwt_credentials: null
_rapt_token: null
_subject: null
_token_uri: https://oauth2.googleapis.com/token
client_id: '(...)'
default_scopes: null
expired: false
expiry: 08-02-2021 04:06:30
id_tokenb64: (...)
private_key: |
  -----BEGIN PRIVATE KEY-----
(...)
  -----END PRIVATE KEY-----
private_key_id: (...)
project_id: (...)
quota_project_id: null
requires_scopes: false
scopes:
- openid
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/appengine.admin
- https://www.googleapis.com/auth/compute
service_account_email: (...)@appspot.gserviceaccount.com
signer_email: (...)@appspot.gserviceaccount.com
token: (...)
type: service_account
valid: true

Also, it would be great to take a look at your IDE logs (Menu -> Help -> Show Log in Finder) - please attach them to this issue if you could. Thanks!

I checked idea.log file and tried log in process multiple times and it only shows these logs.

2021-08-02 12:18:22,611 [ 261620]   INFO - kaffoldTrackingStartupActivity - updating skaffold session for java-cloud-run-hello-world due to login status change 
2021-08-02 12:21:22,887 [ 441896]   INFO - kaffoldTrackingStartupActivity - updating skaffold session for java-cloud-run-hello-world due to login status change

wonsuc avatar Aug 02 '21 03:08 wonsuc

Still working on having this reproduced locally and then we'll be back with an update or a potential workaround

ivanporty avatar Aug 19 '21 17:08 ivanporty

@ivanporty Thank you. Can't wait to see the solution!

wonsuc avatar Aug 23 '21 03:08 wonsuc