mark/vibn-agent-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: decode GCP_SA_KEY_BASE64 for Vertex AI auth (avoids Dockerfile injection issues)

Browse Source 
Made-with: Cursor
This commit is contained in:
mawkone
2026-02-27 20:00:21 -08:00
parent 229987e788
commit 3417578c28
2 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/llm.ts
View File

@@ -70,17 +70,19 @@ export interface LLMClient {
let _cachedToken = '';
let _tokenExpiry = 0;
// Prefer an explicit JSON key (set as env var in Coolify) over the metadata server.
// This avoids the "insufficient scope" error that occurs when the VM's service
// account was created without the cloud-platform scope.
// Build GoogleAuth with explicit service account credentials when available.
// GCP_SA_KEY_BASE64: base64-encoded service account JSON key — safe to pass as
// an env var since it contains no newlines or special shell characters.
// Falls back to the GCP metadata server (works on VMs with correct scopes).
function buildGoogleAuth(): GoogleAuth {
const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON;
if (jsonKey) {
const b64Key = process.env.GCP_SA_KEY_BASE64;
if (b64Key) {
try {
const credentials = JSON.parse(jsonKey);
const jsonStr = Buffer.from(b64Key, 'base64').toString('utf8');
const credentials = JSON.parse(jsonStr);
return new GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
} catch {
console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server');
console.warn('[llm] GCP_SA_KEY_BASE64 is set but failed to decode/parse — falling back to metadata server');
}
}
return new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });