404 returned when trying to fetch ID token from inside docker container in cloud build

Question

I have a NextJs app that uses an API hosted on Google Cloud Run during its static site generation (SSG). The SSG happens during the build step, which is performed inside a docker node.js container in Cloud Build. However, I get this error during the build:

Step #0: Error: Could not fetch ID token: Unsuccessful response status code. Request failed with status code 404
Step #0:     at Gaxios._request (/app/node_modules/gaxios/build/src/gaxios.js:129:23)
Step #0:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Step #0:     at async metadataAccessor (/app/node_modules/gcp-metadata/build/src/index.js:68:21)
Step #0:     at async Compute.fetchIdToken (/app/node_modules/google-auth-library/build/src/auth/computeclient.js:80:23)
Step #0:     at async IdTokenClient.getRequestMetadataAsync (/app/node_modules/google-auth-library/build/src/auth/idtokenclient.js:35:29)
Step #0:     at async IdTokenClient.getRequestHeaders (/app/node_modules/google-auth-library/build/src/auth/oauth2client.js:247:26)
...

This happens when trying to fetch an ID token with the google-auth-library like so:

await this.googleAuth.getIdTokenClient(...)

The build command running the build (the -t parameter is passed the image name and version, I just omitted it here):

steps:
  - name: 'gcr.io/cloud-builders/docker'
    args: ['build', '--network=cloudbuild', '-t', '...', '.']

The 404 error indicates that Cloud Build can't find whatever service is used to get an ID token. I have found some similar errors:

Google Cloud Build fetch Identity token -> This workaround would be a bit of a hassle to implement for us. I'm hoping to avoid it.

Is there any way to allow google-auth-library to fetch an ID token inside Cloud Build?

If Google allowed you to fetch an Identity Token from the Cloud Build service, you would be able to impersonate Cloud Build. That would be a security issue. You will need to create your own Identity Token from one of your service accounts. — John Hanley, Aug 15 '22 at 09:02
@JohnHanley Is that what is described here https://stackoverflow.com/a/64268716/11297850? Or is there some other docs you know of that could help me get started? I'm kind of new to GCP :) — ptf, Aug 15 '22 at 09:21
Yes, that answer shows you how to solve your problem. The first method is easy to implement as Cloud Build provides a builder for the CLI. — John Hanley, Aug 15 '22 at 09:25
@JohnHanley 1. How safe is it to print the access token into the terminal with `gcloud auth print-access-token`? 2. I would then need to pass the id token to the `google-auth-library` manually as a parameter? — ptf, Aug 15 '22 at 09:34
The risk is something showing up in the Cloud Build logs. Do not print to the terminal, capture the output in a variable. — John Hanley, Aug 15 '22 at 09:44
@JohnHanley Is there a more complete example of how to do this somewhere? Ideally step-by-step. — ptf, Aug 15 '22 at 11:18
Your link has what you need to do. I am not aware of a more in-depth step-by-step article. Creating a Cloud Build step with the CLI is easy. Read the docs and practice. — John Hanley, Aug 15 '22 at 18:26
@ptf as John Hanley mentioned you can go though the Stackoverflow URL: https://stackoverflow.com/questions/64252736/google-cloud-build-fetch-identity-token/64268716#64268716 and you can refer documents https://cloud.google.com/nodejs/docs/reference/google-auth-library/latest & https://medium.com/google-cloud/service-account-credentials-api-a-solution-to-different-issues-dc7434037115 — Monali Ghotekar, Aug 16 '22 at 06:17

404 returned when trying to fetch ID token from inside docker container in cloud build

0 Answers0