mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: base64-encode SA key to survive Docker ARG special chars

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Mark Henderson
2026-02-19 15:48:41 -08:00
parent 68f844ce52
commit c68152d999
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/cloud-run-workspace.ts
View File

@@ -21,9 +21,11 @@ const CLOUD_RUN_API = `https://run.googleapis.com/v2/projects/${PROJECT_ID}/loca
const SCOPES = ['https://www.googleapis.com/auth/cloud-platform'];
async function getAccessToken(): Promise<string> {
// Prefer an explicit service account key (avoids GCE metadata scope limitations)
const keyJson = process.env.GOOGLE_SERVICE_ACCOUNT_KEY;
if (keyJson) {
// Prefer an explicit service account key (avoids GCE metadata scope limitations).
// Stored as base64 to survive Docker ARG/ENV special-character handling.
const keyB64 = process.env.GOOGLE_SERVICE_ACCOUNT_KEY_B64;
if (keyB64) {
const keyJson = Buffer.from(keyB64, 'base64').toString('utf-8');
const key = JSON.parse(keyJson) as {
client_email: string;
private_key: string;
@@ -35,7 +37,7 @@ async function getAccessToken(): Promise<string> {
});
const token = await jwt.getAccessToken();
if (!token.token) throw new Error('Failed to get GCP access token from service account key');
return token.token;
return token.token as string;
}
// Fall back to ADC (works locally or on GCE with cloud-platform scope)