Saturday, October 8, 2022

[SOLVED] Google Cloud Pub/Sub C++ Client: Authentication Failure When Binary Has setuid (root) [CentOS7]

Issue

The application (bin) loads the (service account) credentials fine when it has "normal" permissions. This is the run script:

#!/bin/bash
export GOOGLE_APPLICATION_CREDENTIALS=/home/user/config/gcloud/key.json
./bin

However when bin permission are changed:

chown root:root bin
chmod u+s bin

I get this error:

E1003 10:02:07.563899584 60263 credentials_generic.cc:35] Could not get HOME environment variable. E1003 10:02:10.563621247 60263 google_default_credentials.cc:461] Could not create google default credentials: UNKNOWN:creds_path unset {created_time:"2022-10-03T10:02:07.563943484+09:00"}

Any advice would be appreciated.

Thanks.


Solution

As far as I can tell, this is expected behavior for gRPC. gRPC uses secure_getenv() to get all environment variables. In your case, that means the gRPC ignores the GOOGLE_APPLICATION_CREDENTIALS set.

You may need to change your application to use explicit service account credentials. Something like:

auto is = std::ifstream(filename);
auto json_string =
    std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
auto credentials =
    google::cloud::MakeServiceAccountCredentials(json_string);

auto publisher = pubsub::Publisher(
    pubsub::MakePublisherConnection(
        pubsub::Topic(project_id, topic_id),
        google::cloud::Options{}
           .set<google::cloud::UnifiedCredentialsOption>(
                credentials)));


Answered By - coryan
Answer Checked By - Senaida (WPSolving Volunteer)