google-cloud-go icon indicating copy to clipboard operation
google-cloud-go copied to clipboard
verified publisher icon googleapis

auth: directpath no longer emits warning if misconfigured using new auth support

Open frankyn opened this issue 1 year ago • 13 comments

Client

Storage

Code and Dependencies

package main

import (
	"context"
	"log"

	"cloud.google.com/go/storage"
)

func main() {
	ctx := context.Background()

	// Creates a gRPC enabled client
        // If used outside of GCE a warning used to be emitted.
	client, err := storage.NewGRPCClient(ctx)
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}
	defer client.Close()
}

Expected behavior

Warnings were introduced into google-api-go-client (https://github.com/googleapis/google-api-go-client/pull/2225) to tell users that DirectPath is misconfigured client side; such as running gRPC API client outside of GCE.

Actual behavior

New google-cloud-go auth support reimplemented this logic but didn't bring along the warning. https://github.com/googleapis/google-cloud-go/blob/main/auth/grpctransport/directpath.go#L96

frankyn avatar Oct 16 '24 20:10 frankyn

cc @xmenxk

quartzmo avatar Oct 17 '24 17:10 quartzmo

@frankyn do we expect only customers to set the EnableDirectPathXds option, if so then it make sense.

But I've seen Google's per-product client libraries e.g. spanner, storage setting the EnableDirectPathXds=true by default, in that case, I suspect this would be too noisy and maybe confusing. If I'm a customer just running Storage client code on-prem, I'd be getting "WARNING: DirectPath is misconfigured. DirectPath is only available in a GCE environment." even though I never asked to use directpath.

xmenxk avatar Oct 17 '24 17:10 xmenxk

That's a good point; it's not longer required in Go Storage; we've enabled it by default. The reason we did it at first is it's hard to tell if there's misconfiguration client side that can be detected and surfaced to users. If a customer uses invalid credentials or attempt using gRPC + DP outside of GCE fall back to Cloud Path will occur but doesn't notify the user this occurred.

If I'm a customer just running Storage client code on-prem, I'd be getting "WARNING: DirectPath is misconfigured. DirectPath is only available in a GCE environment." even though I never asked to use directpath.

For GCS, gRPC is a new transport option so customers must opt-in to it but direct path is enabled by default when using gRPC.

I suspect this would be too noisy and maybe confusing. The implementation used a rate limiter to reduce noise but agree that it's noisy.

frankyn avatar Oct 17 '24 17:10 frankyn

We recently ran into an issue where directPath was falling back to cloudpath silently for certain auth types (see #11062). It would have been much easier to diagnose this if a warning were present. At the very least the storage client needs some way to check programmatically whether directPath is working on the transport.

tritone avatar Oct 31 '24 02:10 tritone

@xmenxk is it possible to introduce a flag to detect this at least in Storage? We don't expect customers to use GCS gRPC API outside of GCP.

frankyn avatar Oct 31 '24 21:10 frankyn

Yes I don't have any objection on adding back such logs. Only suggestion is for the language of the warning, instead of saying misconfigured, maybe we can just say disabled, or something along that line.

@quartzmo

xmenxk avatar Oct 31 '24 21:10 xmenxk

@xmenxk SGTM. Do you want to create a PR for this?

quartzmo avatar Nov 01 '24 16:11 quartzmo

sure, I can take this

xmenxk avatar Nov 01 '24 16:11 xmenxk

Short update, I lost a day debugging an issue by not having a warning when a non-default GCE service account was used. Have this soon would be helpful.

frankyn avatar Nov 15 '24 01:11 frankyn

This was fixed by https://github.com/googleapis/google-cloud-go/pull/11162, right?

vanja-p avatar Jul 17 '25 20:07 vanja-p

@vanja-p Yes, and the change from #11162 is still present in the most recently released version:

https://github.com/googleapis/google-cloud-go/blob/auth/v0.16.3/auth/grpctransport/directpath.go#L119

Have you noticed anything wrong?

quartzmo avatar Jul 17 '25 21:07 quartzmo

I just wasn't sure because this issue is still open.

A few semi-related comments:

  1. using o.logger() instead of fmt.Prinln makes me less confident that the logs will end up in stderr, instead of just /dev/null.
  2. I wish there was a way to positively check that DirectPath worked for an RPC, instead of trusting the absence of log messages.
  3. The docs imply that DirectPath only works when using the default (VM metadata provided) service account, but since https://github.com/googleapis/google-cloud-go/pull/11878, WithCredentialsFile and WithCredentialsJSON seem to also be supported. The docs in question:
    • https://cloud.google.com/storage/docs/enable-grpc-api#grpc-client-library
    • https://cloud.google.com/storage/docs/direct-connectivity#requirements
    • https://pkg.go.dev/cloud.google.com/go/storage#hdr-gRPC_API

vanja-p avatar Jul 23 '25 18:07 vanja-p

Reassigning to @cpriti-os for the docs issues listed above:

The docs imply that DirectPath only works when using the default (VM metadata provided) service account, but since https://github.com/googleapis/google-cloud-go/pull/11878, WithCredentialsFile and WithCredentialsJSON seem to also be supported. The docs in question: https://cloud.google.com/storage/docs/enable-grpc-api#grpc-client-library https://cloud.google.com/storage/docs/direct-connectivity#requirements https://pkg.go.dev/cloud.google.com/go/storage#hdr-gRPC_API

quartzmo avatar Nov 20 '25 16:11 quartzmo