You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#572 added keyless cloud_identity real-cloud smoke CI. The AWS keyless path passes end-to-end in CI: a GitHub-OIDC-assumed IAM role → AmazonS3Builder::from_env() reads the role's credentials from the environment → real keyless S3 round-trip. ✅
The GCS keyless path could not be exercised on the GitHub Actions runner. With google-github-actions/auth (Workload Identity Federation, default create_credentials_file: true), the runner's GOOGLE_APPLICATION_CREDENTIALS points at a WIF external_account credentials file. But object_store's GCS Application Default Credentials resolution went straight to the GCE metadata server instead:
A non-GCE GitHub runner has no metadata server, so the round-trip fails. This is an environment/tooling limitation, not a product bug: on a real GKE Workload Identity / GCE deployment the metadata server is present, which is exactly the path build_object_store_ambient(Gcs, …) (no service-account key → ADC) uses in production.
What's verified vs. not
✅ GCS ambient builder constructs offline — unit test build_object_store_ambient_dispatches_gcs.
⏳ GCS keyless (ADC via metadata) real round-trip — not exercisable on a non-GCE CI runner; needs a real GKE/GCE environment.
Ask
Run objstore_smoke_gcs_cloud_identity (already in crates/aisix-obs/src/sink/object_store.rs, gated on AISIX_E2E_OBJSTORE_CLOUDID_GCS_BUCKET) on a real GKE pod with Workload Identity (or a GCE VM with an attached service account) that has roles/storage.objectAdmin on the test bucket — there the ambient ADC hits the metadata server and the round-trip should green. Optionally investigate whether a newer object_store supports the WIF external_account file so it could run on a plain GitHub runner.
Context
#572 added keyless
cloud_identityreal-cloud smoke CI. The AWS keyless path passes end-to-end in CI: a GitHub-OIDC-assumed IAM role →AmazonS3Builder::from_env()reads the role's credentials from the environment → real keyless S3 round-trip. ✅The GCS keyless path could not be exercised on the GitHub Actions runner. With
google-github-actions/auth(Workload Identity Federation, defaultcreate_credentials_file: true), the runner'sGOOGLE_APPLICATION_CREDENTIALSpoints at a WIFexternal_accountcredentials file. Butobject_store's GCS Application Default Credentials resolution went straight to the GCE metadata server instead:A non-GCE GitHub runner has no metadata server, so the round-trip fails. This is an environment/tooling limitation, not a product bug: on a real GKE Workload Identity / GCE deployment the metadata server is present, which is exactly the path
build_object_store_ambient(Gcs, …)(no service-account key → ADC) uses in production.What's verified vs. not
build_object_store_ambient_dispatches_gcs.objstore-real-cloud.yml(test(object_store): real-cloud credential_ref smoke CI for S3 + GCS #569), green against real GCS.Ask
Run
objstore_smoke_gcs_cloud_identity(already incrates/aisix-obs/src/sink/object_store.rs, gated onAISIX_E2E_OBJSTORE_CLOUDID_GCS_BUCKET) on a real GKE pod with Workload Identity (or a GCE VM with an attached service account) that hasroles/storage.objectAdminon the test bucket — there the ambient ADC hits the metadata server and the round-trip should green. Optionally investigate whether a newerobject_storesupports the WIFexternal_accountfile so it could run on a plain GitHub runner.Refs: #572 (keyless cloud_identity CI), #552 (item 3), #549 (DP cloud_identity).