google-cloud-go: asn1: structure error: tags don't match
Client
Datastore
Describe Your Environment
Own server
Expected Behavior
I can connect and query data. I’m using a service account json credential downloaded from the cloud console.
store, _ := datastore.NewClient(context.Background(), project, option.WithCredentialsFile("credentials.json"))
keys, _ := store.GetAll(context.Background(), datastore.NewQuery("Entity").Limit(256), &results)
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----\n",
"client_email": "...@....iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/...%40....iam.gserviceaccount.com"
}
Actual Behavior
Query fails with rpc error: code = Unauthenticated desc = transport: private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 20 (18 by maintainers)
I’ve double checked and the key can successfully be decoded, so my above pem report is moot. Still trying to figure out what rejects it in the end.
Huh, if I create a key on top of the “App Engine default service account”, all permissions are fine. If I use a separate service account, my requests get rejected.
~I’ve been seeing this exact PEM parsing error happen intermittently. So far I’ve seen it 172 times today (although I’m sub-sampling 5% of errors blindly because of the volume of work my system does). There’s only one file the credentials are in, which is generated via
confd– and one codepath for parsing and using that data. For scale, I’m attempting token fetches (and thus this code path) about 100 times per minute. No process restarts, manual intervention on the node, automated confd regeneration (it’s manually triggered), etc. It’s just that somehow or other, the PEM parsing fails from time to time.~~We’ve only recently started seeing this problem, although the blind sub-sampling of errors might have masked it out if it was happening infrequently before. We’re on Go 1.11.10, and v0.39.0 of cloud.google.com/go.~
~Not super useful, I know – but I figured it might be a useful datapoint. Happy to provide more info, if you can think of anything useful I might be able to add.~
Problem was happening 100% of the time – in our staging environment. And it had nothing to do with this library. My apologies for adding to the noise floor.
This issue appears to happen for me when the service-account.json I pass in to authenticate works if the file is pretty-printed json and does not work if I remove spaces and line breaks from the json and not the key.
printf "%s" '${GCLOUD_CREDS}' > service-account.json. Putting JSON with spaces and line breaks will result inprintf "%s" "{ " > service-account.json