bazel: Bazel 5.2 Google Cloud's Workload identity federation auth seems broken
Description of the bug:
Bazel 5.2 updated to the Google Auth library, which supports Workload identity federation, useful for keyless authentication from pipelines. This can be verified in https://github.com/bazelbuild/bazel/pull/15383. However, when providing the credentials file through the google_credentials
flag:
bazel build //... \
--remote_cache <cache-url> \
--google_credentials=${{ steps.auth.outputs.credentials_file_path }}
Bazel just throws an error:
Caused by: java.lang.IllegalArgumentException: Can not set java.util.List field com.google.api.client.http.HttpHeaders.authorization to java.lang.String
at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(Unknown Source)
at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(Unknown Source)
at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(Unknown Source)
at java.base/java.lang.reflect.Field.set(Unknown Source)
at com.google.api.client.util.FieldInfo.setFieldValue(FieldInfo.java:245)
at com.google.api.client.util.FieldInfo.setValue(FieldInfo.java:206)
at com.google.api.client.util.GenericData.set(GenericData.java:125)
at com.google.api.client.http.HttpHeaders.set(HttpHeaders.java:175)
at com.google.api.client.http.HttpHeaders.set(HttpHeaders.java:58)
at com.google.api.client.util.GenericData.putAll(GenericData.java:138)
at com.google.auth.oauth2.IdentityPoolCredentials.getSubjectTokenFromMetadataServer(IdentityPoolCredentials.java:233)
at com.google.auth.oauth2.IdentityPoolCredentials.retrieveSubjectToken(IdentityPoolCredentials.java:188)
at com.google.auth.oauth2.IdentityPoolCredentials.refreshAccessToken(IdentityPoolCredentials.java:169)
at com.google.auth.oauth2.OAuth2Credentials$1.call(OAuth2Credentials.java:257)
at com.google.auth.oauth2.OAuth2Credentials$1.call(OAuth2Credentials.java:254)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
at com.google.auth.oauth2.OAuth2Credentials$AsyncRefreshResult.executeIfNew(OAuth2Credentials.java:580)
at com.google.auth.oauth2.OAuth2Credentials.asyncFetch(OAuth2Credentials.java:220)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:170)
at com.google.auth.oauth2.ExternalAccountCredentials.getRequestMetadata(ExternalAccountCredentials.java:292)
at com.google.devtools.build.lib.remote.http.AbstractHttpHandler.addCredentialHeaders(AbstractHttpHandler.java:73)
at com.google.devtools.build.lib.remote.http.HttpDownloadHandler.write(HttpDownloadHandler.java:141)
at io.netty.channel.AbstractChannelHandlerContext.invokeWrite0(AbstractChannelHandlerContext.java:717)
at io.netty.channel.AbstractChannelHandlerContext.invokeWriteAndFlush(AbstractChannelHandlerContext.java:764)
at io.netty.channel.AbstractChannelHandlerContext.write(AbstractChannelHandlerContext.java:790)
at io.netty.channel.AbstractChannelHandlerContext.writeAndFlush(AbstractChannelHandlerContext.java:758)
at io.netty.channel.AbstractChannelHandlerContext.writeAndFlush(AbstractChannelHandlerContext.java:808)
at io.netty.channel.DefaultChannelPipeline.writeAndFlush(DefaultChannelPipeline.java:1025)
at io.netty.channel.AbstractChannel.writeAndFlush(AbstractChannel.java:306)
at com.google.devtools.build.lib.remote.http.HttpCacheClient.lambda$get$6(HttpCacheClient.java:496)
at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
...
What’s the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
bazel build //... \
--remote_cache <cache-url> \
--google_credentials=${{ steps.auth.outputs.credentials_file_path }}
Which operating system are you running Bazel on?
Linux on Github Actions
What is the output of bazel info release
?
5.2.0
If bazel info release
returns development version
or (@non-git)
, tell us how you built Bazel.
No response
What’s the output of git remote get-url origin; git rev-parse master; git rev-parse HEAD
?
No response
Have you found anything relevant by searching the web?
https://github.com/bazelbuild/bazel/issues/14278
Any other information, logs, or outputs that you want to share?
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 17 (8 by maintainers)
Commits related to this issue
- Populate HttpHeaders fields with List<String> instead of String. HttpHeaders.putAll uses reflective access. Well-known headers such as Content-Type or Authentication have dedicated fields of type Lis... — committed to tjgq/google-auth-library-java by tjgq 2 years ago
- fix: Populate HttpHeaders fields with List<String> instead of String. IdentityPoolCredentials#getSubjectTokenFromMetadataServer calls HttpHeaders.putAll to set request headers. The latter sets its fi... — committed to tjgq/google-auth-library-java by tjgq 2 years ago
- fix: Populate HttpHeaders fields with List<String> instead of String. IdentityPoolCredentials#getSubjectTokenFromMetadataServer calls HttpHeaders.putAll to set request headers. The latter sets its fi... — committed to tjgq/google-auth-library-java by tjgq 2 years ago
- fix: Populate HttpHeaders fields with List<String> instead of String. IdentityPoolCredentials#getSubjectTokenFromMetadataServer calls HttpHeaders.putAll to set request headers. The latter sets its fi... — committed to tjgq/google-auth-library-java by tjgq 2 years ago
- fix: Populate HttpHeaders fields with List<String> instead of String. IdentityPoolCredentials#getSubjectTokenFromMetadataServer calls HttpHeaders.putAll to set request headers. The latter sets its fi... — committed to tjgq/google-auth-library-java by tjgq 2 years ago
- Upgrade google-http-client and google-http-client-gson. In #15176 we upgraded google-auth-library-oauth2-http to 1.6.0, but didn't upgrade its dependencies accordingly; Maven claims 1.41.4 is needed ... — committed to tjgq/bazel by tjgq 2 years ago
- Upgrade google-http-client and google-http-client-gson. In #15176 we upgraded google-auth-library-oauth2-http to 1.6.0, but didn't upgrade its dependencies accordingly; Maven claims 1.41.4 is needed ... — committed to aiuto/bazel by tjgq 2 years ago
- Upgrade google-http-client and google-http-client-gson. In #15176 we upgraded google-auth-library-oauth2-http to 1.6.0, but didn't upgrade its dependencies accordingly; Maven claims 1.41.4 is needed ... — committed to tjgq/bazel by tjgq 2 years ago
- Upgrade google-http-client and google-http-client-gson. (#16745) In #15176 we upgraded google-auth-library-oauth2-http to 1.6.0, but didn't upgrade its dependencies accordingly; Maven claims 1.41.4 ... — committed to bazelbuild/bazel by tjgq 2 years ago
FYI, I’m going to backport this into 5.4.0 because I got a report of another user running into an issue related to this.
I was able to repro this today. It looks like there’s a bug in the
google-auth-library-oauth2-http
library. I’ve sent https://github.com/googleapis/google-auth-library-java/pull/984 to fix it.