Cloud logging

launcher/container_runner.go

@@ -630,7 +630,8 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
 		streamOpt = cio.WithStreams(nil, w, w)
 		r.logger.Info("Container stdout/stderr will be redirected to serial and Cloud Logging. This may result in performance issues due to slow serial console writes.")
 	case spec.CloudLogging:
-		streamOpt = cio.WithStreams(nil, os.Stdout, os.Stdout)
+		cloudWriter := r.logger.CloudOnlyWriter()
+		streamOpt = cio.WithStreams(nil, cloudWriter, cloudWriter)
 		r.logger.Info("Container stdout/stderr will be redirected to Cloud Logging.")
 	case spec.Serial:
 		streamOpt = cio.WithStreams(nil, r.serialConsole, r.serialConsole)

launcher/internal/logging/logging.go

@@ -5,6 +5,7 @@ package logging
 import (
 	"context"
 	"fmt"
+	"io"
 	"log/slog"
 	"os"
 
@@ -31,6 +32,8 @@ type Logger interface {
 
 	SerialConsoleFile() *os.File
 	Close()
+
+	CloudOnlyWriter() io.Writer
 }
 
 type cLogger interface {
@@ -48,6 +51,11 @@ type logger struct {
 	serialConsoleFile *os.File
 }
 
+// cloudOnlyWriter implements the io.Writer interface, but only writes to Cloud Logging.
+type cloudOnlyWriter struct {
+	l *logger
+}
+
 type payload map[string]any
 
 // NewLogger returns a Logger with Cloud and Serial Console logging configured.
@@ -211,6 +219,11 @@ func (l *logger) Error(msg string, args ...any) {
 	l.writeLog(clogging.Error, msg, args...)
 }
 
+// CloudOnlyWriter returns an io.Writer that only logs to Cloud Logging.
+func (l *logger) CloudOnlyWriter() io.Writer {
+	return &cloudOnlyWriter{l: l}
+}
+
 // SimpleLogger returns a lightweight implementation that wraps a slog.Default() logger.
 // Suitable for testing.
 func SimpleLogger() Logger {
@@ -221,6 +234,11 @@ type slogger struct {
 	slg *slog.Logger
 }
 
+// CloudOnlyWriter returns nil for slogger, as it does not support Cloud-only logging.
+func (l *slogger) CloudOnlyWriter() io.Writer {
+	return nil
+}
+
 // Log logs msg and args with the provided severity.
 func (l *slogger) Log(severity clogging.Severity, msg string, args ...any) {
 	level := slog.LevelDebug
@@ -255,3 +273,18 @@ func (l *slogger) SerialConsoleFile() *os.File {
 }
 
 func (l *slogger) Close() {}
+
+// Write implements the io.Writer interface for the cloudOnlyWriter struct.
+func (w *cloudOnlyWriter) Write(p []byte) (n int, err error) {
+	// Trim any trailing newline.
+	end := len(p)
+	for end > 0 && p[end-1] == '\n' {
+		end--
+	}
+	msg := string(p[:end])
+
+	// Log the message to Cloud Logging.
+	w.l.writeLog(clogging.Info, msg)
+
+	return len(p), nil
+}

launcher/teeserver/tee_server.go

@@ -53,6 +53,10 @@ type TeeServer struct {
 	netListener net.Listener
 }
 
+const (
+	audienceSTS = "https://sts.googleapis.com"
+)
+
 // New takes in a socket and start to listen to it, and create a server
 func New(ctx context.Context, unixSock string, a agent.AttestationAgent, logger logging.Logger, launchSpec spec.LaunchSpec, clients *AttestClients) (*TeeServer, error) {
 	var err error
@@ -161,9 +165,8 @@ func (a *attestHandler) attest(w http.ResponseWriter, r *http.Request, client ve
 		}
 
 		if tokenOptions.Audience == "" {
-			err := fmt.Errorf("use GET request for the default identity token")
-			a.logAndWriteHTTPError(w, http.StatusBadRequest, err)
-			return
+
+			tokenOptions.Audience = audienceSTS
 		}
 
 		if tokenOptions.TokenType == "" {