My Node.js code utilizing Google Secret Manager stopped working (it worked fine some time ago). I have set GOOGLE_APPLICATION_CREDENTIALS env variable to valid path and console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS); prints it correctly.
I've even tried to re-generate new .json file and still get the same error. Originally it was without keyFilename, but both give same results, the error. The keys are enabled in the management website.
I have tried to call await client.initialize(); as well.
Is there a way to debug this more? Could a recent change from winter to summer time have effect? But then why re-generated keys don't work?
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient({
keyFilename: 'path-to.json'
});
const projectId = 'project-number';
const parent = 'projects/' + projectId;
...
async function listSecrets() { // Calling this throws the error
const [secrets] = await client.listSecrets({
parent: parent
});
Full error stack:
[2021-04-12T09:14:56.366Z] (node:51988) UnhandledPromiseRejectionWarning: Error: 16 UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at Object.callErrorFromStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\call.js:31:26)
at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client.js:176:52)
at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:336:141)
at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:299:181)
at <super-secret-path>\node_modules\@grpc\grpc-js\build\src\call-stream.js:130:78
at processTicksAndRejections (internal/process/task_queues.js:75:11)
I've installed Google Cloud SDK, ran gcloud auth activate-service-account on my server, it fired
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: ('invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim.', '{"error":"invalid_grant","error_description":"Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim."}')
Which, after further Googling, led me to check my server's time, which was 2h behind now, due to recent change winter->summer, I suppose before it was 1h late which still fit. Adjusting the time solved the problem. (http://time.is is helpful)
Funnily enough, I could login with "human" credentials.