mark/vibn-agent-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: decode GCP_SA_KEY_BASE64 for Vertex AI auth (avoids Dockerfile injection issues)

Browse Source 
Made-with: Cursor
This commit is contained in:
mawkone
2026-02-27 20:00:21 -08:00
parent 229987e788
commit 3417578c28
2 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
dist/llm.js vendored
View File

@@ -12,18 +12,20 @@ const uuid_1 = require("uuid");
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
let _cachedToken = ''; let _cachedToken = '';
let _tokenExpiry = 0; let _tokenExpiry = 0;
// Prefer an explicit JSON key (set as env var in Coolify) over the metadata server. // Build GoogleAuth with explicit service account credentials when available.
// This avoids the "insufficient scope" error that occurs when the VM's service // GCP_SA_KEY_BASE64: base64-encoded service account JSON key — safe to pass as
// account was created without the cloud-platform scope. // an env var since it contains no newlines or special shell characters.
// Falls back to the GCP metadata server (works on VMs with correct scopes).
function buildGoogleAuth() { function buildGoogleAuth() {
const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON; const b64Key = process.env.GCP_SA_KEY_BASE64;
if (jsonKey) { if (b64Key) {
try { try {
const credentials = JSON.parse(jsonKey); const jsonStr = Buffer.from(b64Key, 'base64').toString('utf8');
const credentials = JSON.parse(jsonStr);
return new google_auth_library_1.GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] }); return new google_auth_library_1.GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
} }
catch { catch {
console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server'); console.warn('[llm] GCP_SA_KEY_BASE64 is set but failed to decode/parse — falling back to metadata server');
} }
} }
return new google_auth_library_1.GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] }); return new google_auth_library_1.GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });

16
src/llm.ts
View File

@@ -70,17 +70,19 @@ export interface LLMClient {
let _cachedToken = ''; let _cachedToken = '';
let _tokenExpiry = 0; let _tokenExpiry = 0;
// Prefer an explicit JSON key (set as env var in Coolify) over the metadata server. // Build GoogleAuth with explicit service account credentials when available.
// This avoids the "insufficient scope" error that occurs when the VM's service // GCP_SA_KEY_BASE64: base64-encoded service account JSON key — safe to pass as
// account was created without the cloud-platform scope. // an env var since it contains no newlines or special shell characters.
// Falls back to the GCP metadata server (works on VMs with correct scopes).
function buildGoogleAuth(): GoogleAuth { function buildGoogleAuth(): GoogleAuth {
const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON; const b64Key = process.env.GCP_SA_KEY_BASE64;
if (jsonKey) { if (b64Key) {
try { try {
const credentials = JSON.parse(jsonKey); const jsonStr = Buffer.from(b64Key, 'base64').toString('utf8');
const credentials = JSON.parse(jsonStr);
return new GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] }); return new GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
} catch { } catch {
console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server'); console.warn('[llm] GCP_SA_KEY_BASE64 is set but failed to decode/parse — falling back to metadata server');
} }
} }
return new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] }); return new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });