You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, hasVertexAdcCredentials() synchronously checks the filesystem for Application Default Credentials (ADC) files using fs.existsSync(). This logic completely breaks deployments on native Google Cloud environments (Google Compute Engine, Cloud Run, GKE, App Engine). In these environments, ADC does not use local files; it relies dynamically on the local GCP Metadata Server (169.254.169.254). Because the local ~/.config/ file is missing, the check fails, and the google-vertex provider is incorrectly marked as unauthenticated.
Fix
It is an anti-pattern to reimplement Google's ADC resolution synchronously in user-land because checking the Metadata Server requires an asynchronous network request.
This PR updates the logic:
If GOOGLE_APPLICATION_CREDENTIALS is explicitly set, we still check if the file exists (catching explicit misconfigurations early).
If it is not set, we skip the strict ~/.config/... file check and return true.
This safely delegates the final credential validation to the official @google-cloud/vertexai SDK. If a user is running locally and simply forgot to log in, the Google SDK will naturally throw its standard, descriptive auth error ("Could not load the default credentials"), which is the correct and expected behavior.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
Currently,
hasVertexAdcCredentials()synchronously checks the filesystem for Application Default Credentials (ADC) files usingfs.existsSync(). This logic completely breaks deployments on native Google Cloud environments (Google Compute Engine, Cloud Run, GKE, App Engine). In these environments, ADC does not use local files; it relies dynamically on the local GCP Metadata Server (169.254.169.254). Because the local~/.config/file is missing, the check fails, and thegoogle-vertexprovider is incorrectly marked as unauthenticated.Fix
It is an anti-pattern to reimplement Google's ADC resolution synchronously in user-land because checking the Metadata Server requires an asynchronous network request.
This PR updates the logic:
GOOGLE_APPLICATION_CREDENTIALSis explicitly set, we still check if the file exists (catching explicit misconfigurations early).~/.config/...file check and return true.This safely delegates the final credential validation to the official
@google-cloud/vertexai SDK. If a user is running locally and simply forgot to log in, the Google SDK will naturally throw its standard, descriptive auth error ("Could not load the default credentials"), which is the correct and expected behavior.Beta Was this translation helpful? Give feedback.
All reactions