Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ? #5453

Closed
Ruthwik opened this issue Jun 11, 2024 · 5 comments
Closed

How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ? #5453

Ruthwik opened this issue Jun 11, 2024 · 5 comments
Assignees
@sofisl

Comments

@Ruthwik
Copy link

Ruthwik commented Jun 11, 2024
edited
Loading

We are using Nodejs MetricServiceClient/KeyManagementServiceClient client in our product. How do we enable server certificate verification in the MetricServiceClient/KeyManagementServiceClient client?
We want to enable client-side verification of server certificates with our CA bundle.
We've explored the options of MetricServiceClient/KeyManagementServiceClient but couldn't find any.

In the case of other cloud providers we have found a way to pass the CA bundle in the options where the client verifies.

Example for AWS

const nodeOptions = {
    httpsAgent: new https.Agent({
        rejectUnauthorized: true,
        ca: caBundle,
        maxVersion
    }),
};

const requestHandler =  new NodeHttpHandler(nodeOptions);
const athena = new AthenaClient({ credentials, region : 'us-east-1', requestHandler });

In the above example, If rejectUnauthorized is true the server will reject any connection which is not authorized with the list of supplied CAs. I also found the it is different for services and client in google nodejs SDK.

@beccasaurus @blowmage
@Ruthwik Ruthwik changed the title How to enable server certificate verification on the Nodejs clients like MetricServiceClient for Mutual TLS ? How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ? Jun 11, 2024
@guru1306
Copy link

I am also facing the similar issue. Did you find any solution?

@sofisl
Copy link
Contributor

sofisl commented Jul 10, 2024
edited
Loading

I don't think this can be done through grpc, see. However, I do think this could be done using our REST transport. You should be able to configure a client to use mTLS or use the agent parameter like bigquery. In order to do this you'll need to instantiate using the googleapis library, like so:

const {google} = require('googleapis/cloudkms');
const cloudkms = google.cloudkms('v1');

and in the request, you can send a second parameter (options) that extends GaxiosOptions

@sofisl
Copy link
Contributor

sofisl commented Jul 18, 2024

@Ruthwik did this work for you?

@sofisl sofisl added the needs more info This issue needs more information from the customer to proceed. label Jul 18, 2024
@sofisl sofisl self-assigned this Jul 18, 2024
@Ruthwik
Copy link
Author

Ruthwik commented Jul 19, 2024
edited
Loading

@sofisl I will post here once I try these changes. It requires a change of our current libraries.

'@google-cloud/kms'

Is it also the same for monitoring client? '@google-cloud/monitoring'

@github-actions github-actions bot removed the needs more info This issue needs more information from the customer to proceed. label Jul 19, 2024
@sofisl
Copy link
Contributor

sofisl commented Feb 8, 2025

Yes, it should. Closing for now to try and keep queue clean - please open a new issue if this doesn't work for you!

@sofisl sofisl closed this as completed Feb 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sofisl sofisl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Ruthwik @guru1306 @sofisl