mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: base64-encode SA key to survive Docker ARG special chars

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Mark Henderson
2026-02-19 15:48:41 -08:00
parent 68f844ce52
commit c68152d999
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/cloud-run-workspace.ts
View File

@@ -21,9 +21,11 @@ const CLOUD_RUN_API = `https://run.googleapis.com/v2/projects/${PROJECT_ID}/loca
const SCOPES = ['https://www.googleapis.com/auth/cloud-platform']; const SCOPES = ['https://www.googleapis.com/auth/cloud-platform'];
async function getAccessToken(): Promise<string> { async function getAccessToken(): Promise<string> {
// Prefer an explicit service account key (avoids GCE metadata scope limitations) // Prefer an explicit service account key (avoids GCE metadata scope limitations).
const keyJson = process.env.GOOGLE_SERVICE_ACCOUNT_KEY; // Stored as base64 to survive Docker ARG/ENV special-character handling.
if (keyJson) { const keyB64 = process.env.GOOGLE_SERVICE_ACCOUNT_KEY_B64;
if (keyB64) {
const keyJson = Buffer.from(keyB64, 'base64').toString('utf-8');
const key = JSON.parse(keyJson) as { const key = JSON.parse(keyJson) as {
client_email: string; client_email: string;
private_key: string; private_key: string;
@@ -35,7 +37,7 @@ async function getAccessToken(): Promise<string> {
}); });
const token = await jwt.getAccessToken(); const token = await jwt.getAccessToken();
if (!token.token) throw new Error('Failed to get GCP access token from service account key'); if (!token.token) throw new Error('Failed to get GCP access token from service account key');
return token.token; return token.token as string;
} }
// Fall back to ADC (works locally or on GCE with cloud-platform scope) // Fall back to ADC (works locally or on GCE with cloud-platform scope)