Search code examples
node.jsgoogle-secret-manager

Error: 16 UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid auth credential

My Node.js code utilizing Google Secret Manager stopped working (it worked fine some time ago). I have set GOOGLE_APPLICATION_CREDENTIALS env variable to valid path and console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS); prints it correctly. I've even tried to re-generate new .json file and still get the same error. Originally it was without keyFilename, but both give same results, the error. The keys are enabled in the management website. I have tried to call await client.initialize(); as well.

Is there a way to debug this more? Could a recent change from winter to summer time have effect? But then why re-generated keys don't work?

const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient({
  keyFilename: 'path-to.json'
});

const projectId = 'project-number';
const parent = 'projects/' + projectId;

...
async function listSecrets() { // Calling this throws the error
  const [secrets] = await client.listSecrets({
    parent: parent
  });

Full error stack:

[2021-04-12T09:14:56.366Z] (node:51988) UnhandledPromiseRejectionWarning: Error: 16 UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
    at Object.callErrorFromStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\call.js:31:26)
    at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client.js:176:52)
    at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:336:141)
    at Object.onReceiveStatus (<super-secret-path>\node_modules\@grpc\grpc-js\build\src\client-interceptors.js:299:181)
    at <super-secret-path>\node_modules\@grpc\grpc-js\build\src\call-stream.js:130:78
    at processTicksAndRejections (internal/process/task_queues.js:75:11)
Solution

  • I've installed Google Cloud SDK, ran gcloud auth activate-service-account on my server, it fired

    ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: ('invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim.', '{"error":"invalid_grant","error_description":"Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim."}')

    Which, after further Googling, led me to check my server's time, which was 2h behind now, due to recent change winter->summer, I suppose before it was 1h late which still fit. Adjusting the time solved the problem. (http://time.is is helpful)

    Funnily enough, I could login with "human" credentials.