googleapis
Universe domain validation error
When universe domain is set and GoogleCredentialsProvider returns a ServiceAccountJwtAccessCredentials, the subsequent validate step will fail with error: The configured universe domain (<some universe domain>) does not match the universe domain found in the credentials (googleapis.com). If you haven't configured the universe domain explicitly, googleapis.com is the default.. This is likely caused by universe domain not implemented in the ServiceAccountJwtAccessCredentials class, so ServiceAccountJwtAccessCredentials returns default universe domain but resolvedUniverseDomain returns the universe domain set by the user: https://github.com/googleapis/sdk-platform-java/blob/main/gax-java/gax/src/main/java/com/google/api/gax/rpc/EndpointContext.java#L167-L169C10
Repro code:
BigtableDataSettings.Builder settings = BigtableDataSettings.newBuilder()
.setProjectId("{project_id}")
.setInstanceId("{instance_id}");
settings.stubSettings().setUniverseDomain("{universe_domain}");
settings.stubSettings().setMetricsEndpoint("monitoring.{universe_domain}:443");
System.out.println("testing data API");
try (BigtableDataClient client = BigtableDataClient.create(settings.build())) {
System.out.println("sending request");
client.mutateRow(RowMutation.create(TableId.of("test"), "row-key")
.setCell("cf", "q", "value"));
System.out.println(client.readRow(TableId.of("test"), "row-key"));
}
...
In the environment, set the GOOGLE_APPLICATION_CREDENTIALS env var to point to the SA Key Json.
A few things to investigate:
- What is the difference between ServiceAccountCredentials and ServiceAccountJwtAccessCredentials in the Auth Library?
- Is ServiceAccountCredentials with SSJWT the same behavior as
ServiceAccountJwtAccessCredentials? - Can the client libraries potentially be updated to use ServiceAccountCredentials with SSJWT?
Marking this as fixed as this change was made in https://github.com/googleapis/sdk-platform-java/pull/3806