authentication error when using JWT class & service account credentials & locational api endpoint #2108
Description
Following the deprecation messages that were introduced in 10.4.0 I adapted how we instantiate our pubsub client to use the JWT constructor and authClient field instead of the credentials field.
This works fine with the global api endpoint, but fails with locational and regional endpoints.
The error is:
16 UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
example usage that produces the error:
import {PubSub} from '@google-cloud/pubsub'
import {JWT} from 'google-auth-library'
const credentialsInBase64 = process.env.PUBSUB_CREDENTIALS // loaded from secret
const keys = JSON.parse(Buffer.from(credentialsInBase64, 'base64').toString('utf8'))
validateKeys(keys) // <-- this was the suggested way to replace the deprecated way
jwt = new JWT() // of loading service account credentials.
jwt.fromJSON(keys) // validateKeys is a fn that runs some validations on the json object.
const pubsub = new PubSub({
projectId: 'your-project-id', // our test area, but this also happens on other projects
apiEndpoint: 'https://us-east4-pubsub.googleapis.com', // a locational endpoint
authClient: jwt,
// credentials: keys <-- this way still works but is getting deprecated.
})
when not passing the apiEndpoint field it uses the global one and there is no error.
but that is not an option for us, some features such as message-ordering require locational/regional endpoints.