mark/vibn-agent-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: use service account JSON key for Vertex AI auth instead of metadata server

Browse Source 
The VM's metadata server doesn't grant cloud-platform scope by default.
Read GOOGLE_APPLICATION_CREDENTIALS_JSON env var (service account key JSON)
and pass it directly to GoogleAuth. Falls back to metadata server if unset.
This restores GLM-5 access via Vertex AI.

Made-with: Cursor
This commit is contained in:
mawkone
2026-02-27 19:51:48 -08:00
parent 1dafd05371
commit 229987e788
2 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
dist/llm.js vendored
View File

@@ -12,9 +12,23 @@ const uuid_1 = require("uuid");
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
let _cachedToken = ''; let _cachedToken = '';
let _tokenExpiry = 0; let _tokenExpiry = 0;
const _googleAuth = new google_auth_library_1.GoogleAuth({ // Prefer an explicit JSON key (set as env var in Coolify) over the metadata server.
scopes: ['https://www.googleapis.com/auth/cloud-platform'] // This avoids the "insufficient scope" error that occurs when the VM's service
}); // account was created without the cloud-platform scope.
function buildGoogleAuth() {
const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON;
if (jsonKey) {
try {
const credentials = JSON.parse(jsonKey);
return new google_auth_library_1.GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
}
catch {
console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server');
}
}
return new google_auth_library_1.GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
}
const _googleAuth = buildGoogleAuth();
async function getVertexToken() { async function getVertexToken() {
const now = Date.now(); const now = Date.now();
if (_cachedToken && now < _tokenExpiry) if (_cachedToken && now < _tokenExpiry)

20
src/llm.ts
View File

@@ -70,9 +70,23 @@ export interface LLMClient {
let _cachedToken = ''; let _cachedToken = '';
let _tokenExpiry = 0; let _tokenExpiry = 0;
const _googleAuth = new GoogleAuth({ // Prefer an explicit JSON key (set as env var in Coolify) over the metadata server.
scopes: ['https://www.googleapis.com/auth/cloud-platform'] // This avoids the "insufficient scope" error that occurs when the VM's service
}); // account was created without the cloud-platform scope.
function buildGoogleAuth(): GoogleAuth {
const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON;
if (jsonKey) {
try {
const credentials = JSON.parse(jsonKey);
return new GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
} catch {
console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server');
}
}
return new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
}
const _googleAuth = buildGoogleAuth();
async function getVertexToken(): Promise<string> { async function getVertexToken(): Promise<string> {
const now = Date.now(); const now = Date.now();