You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// buildTaskRequest build task request from event and publisher configfunc (p*PublisherImpl) buildTaskRequest(envEnvelope) (*taskspb.CreateTaskRequest, error) {
...headers:=map[string]string{
"Content-Type": "application/json",
}
req:=&taskspb.CreateTaskRequest{
Parent: queuePath,
Task: &taskspb.Task{
// https://godoc.org/google.golang.org/genproto/googleapis/cloud/tasks/v2#HttpRequestMessageType: &taskspb.Task_HttpRequest{
HttpRequest: &taskspb.HttpRequest{
Url: <irrelevantWorkerUrl>,// this is a different endpoint than what is being defined in the queue-level routingHttpMethod: taskspb.HttpMethod_POST,
Headers: headers,
Body: payload,
AuthorizationHeader: &taskspb.HttpRequest_OidcToken{
OidcToken: &taskspb.OidcToken{
ServiceAccountEmail: "<service-acount-email>",// this is the same as what was defined on the queue-level routing
},
},
},
},
},
}
returnreq, nil
}
// publish event to Cloud Tasksfunc (p*PublisherImpl) publish(ctx context.Context, eeEnvelope) error {
req, err:=p.buildTaskRequest(ee)
iferr!=nil {
returnerr
}
createdTask, err:=p.cloudTaskClient.CreateTask(context.Background(), req)
iferr!=nil {
returnerr
}
...returnnil
}
Expected behavior
We expect the irrelevantWorkerUrl being set during task creation to not matter and have our tasks routed and authenticated using the values set on the queue.
Actual behavior
Everything set as part of URI Override works perfectly.
However, the JWT being created for the service account has an audience that matches irrelevantWorkerUrl.
So our worker service refuses to accept the request because the audience on the token is irrelevantWorkerUrl instead of the https://<cloud-run-worker-service-host> that we set on the queue.
We can get the code working if we pass cloud-run-worker-service-host as the audience or as the worker url, but that defeats our goal of using queue-level routing.
When checking the queue, everything looks correct.
Same result where the audience is irrelevantWorkerUrl
We also tried creating tasks using golang code and gcloud where we don't pass a service-account. In those cases, a token does not get generated at all.
Maybe we are misunderstanding what --http-oidc-token-audience-override is supposed to do, but so far, it doesn't seem like it does anything.
The text was updated successfully, but these errors were encountered:
I am not an expert on cloudtasks but this seems intentional from the docs: "Audience to be used when generating OIDC token. If not specified, the URI specified in target will be used."
This issue track primary deals with issue in the client libraries themseleves and not the services. I would recommend reaching out via a support contract and/or cloudtasks support page. Sorry I can't be of more help.
Not a problem. I actually also did reach out to support just incase the issue is with the service, but was worried that the client was doing something that was interfering with the oidc audience overwrite setting on the queue.
At this point, I can't tell what the problem lies. The doc explanation made perfect sense before queue-level routing was a thing. But now, I am worried that the behavior is causing problems.
Client
cloudtasks
Environment
Image built with alpine running on Cloud Run
Go Environment
$ gcloud version
Code
Note: Anything within
<>
is a replacement of the actual values.Updating queue to have queue-level routing
Task creation code:
Expected behavior
We expect the
irrelevantWorkerUrl
being set during task creation to not matter and have our tasks routed and authenticated using the values set on the queue.Actual behavior
Everything set as part of URI Override works perfectly.
However, the JWT being created for the service account has an audience that matches
irrelevantWorkerUrl
.So our worker service refuses to accept the request because the audience on the token is
irrelevantWorkerUrl
instead of thehttps://<cloud-run-worker-service-host>
that we set on the queue.We can get the code working if we pass
cloud-run-worker-service-host
as the audience or as the worker url, but that defeats our goal of using queue-level routing.When checking the queue, everything looks correct.
gcloud tasks queues describe
Additional context
The whole reason we want to use queue-level routing is so we don't have to pass the worker service's host to all the places where we create tasks.
I am not sure if this feature is out of beta but I see the options documented here without any indication that it is a beta feature.
https://cloud.google.com/sdk/gcloud/reference/tasks/queues/create
https://cloud.google.com/sdk/gcloud/reference/tasks/queues/update
https://cloud.google.com/tasks/docs/configuring-queues#gcloud
For this test, we are using existing golang code for creating tasks but we generated a new queue with queue-level routing.
We also tried creating tasks using gcloud:
Same result where the audience is
irrelevantWorkerUrl
We also tried creating tasks using golang code and gcloud where we don't pass a service-account. In those cases, a token does not get generated at all.
Maybe we are misunderstanding what
--http-oidc-token-audience-override
is supposed to do, but so far, it doesn't seem like it does anything.The text was updated successfully, but these errors were encountered: