Remove unnecessary calls to the GCP metadata server

drcapulet · byroot · commit bd573b02494d · 2025-07-18T09:41:26.000+02:00
Calling Google::Auth.get_application_default triggers an explicit call to
the metadata server - given it was being called for significant number of
file operations, it can lead to considerable tail latencies and even metadata
server overloads. Instead, it's preferable (and significantly more efficient)
that applications use:

Google::Apis::RequestOptions.default.authorization = Google::Auth.get_application_default(...)

In the cases applications do not set that, the GCP libraries automatically determine credentials.
diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
@@ -1,3 +1,22 @@
+*   Remove unnecessary calls to the GCP metadata server.
+
+    Calling Google::Auth.get_application_default triggers an explicit call to
+    the metadata server - given it was being called for significant number of
+    file operations, it can lead to considerable tail latencies and even metadata
+    server overloads. Instead, it's preferable (and significantly more efficient)
+    that applications use:
+
+    ```ruby
+    Google::Apis::RequestOptions.default.authorization = Google::Auth.get_application_default(...)
+    ```
+
+    In the cases applications do not set that, the GCP libraries automatically determine credentials.
+
+    This also enables using credentials other than those of the associated GCP
+    service account like when using impersonation.
+
+    *Alex Coomans*
+
 *   Direct upload progress accounts for server processing time.
 
     *Jeremy Daer*
diff --git a/activestorage/lib/active_storage/service/gcs_service.rb b/activestorage/lib/active_storage/service/gcs_service.rb
@@ -213,8 +213,16 @@ def signer
         lambda do |string_to_sign|
           iam_client = Google::Apis::IamcredentialsV1::IAMCredentialsService.new
 
-          scopes = ["https://www.googleapis.com/auth/iam"]
-          iam_client.authorization = Google::Auth.get_application_default(scopes)
+          # We explicitly do not set iam_client.authorization so that it uses the
+          # credentials set by the application at Google::Apis::RequestOptions.default.authorization.
+          # If the application does not set it, the GCP libraries will automatically
+          # determine it on each call. This code previously explicitly set the
+          # authorization to Google::Auth.get_application_default which triggers
+          # an explicit call to the metadata server - given this lambda is called
+          # for a significant number of file operations, it can lead to considerable
+          # tail latencies and even metadata server overloads. Additionally, that
+          # prevented applications from being able to configure the credentials
+          # used to perform the signature operation.
 
           request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
             payload: string_to_sign
