Reduce api call to token service endpoint #364
Comments
|
Hi @GregoireW - can you please provide your action.yml so I can reproduce this on my end? Are you seeing that audit log once per object upload? Are you using google-github-actions/auth? |
|
Hello, There is not a 1-1 api call - file to be transferred, it may be linked to the parallel things but not sure. Here a simple test I use ( I tried direct workload identity and SA workload identity, the result is the same ) : - uses: actions/checkout@v4
id: checkout
- name: generate
run: |
mkdir site
for i in {1..250} ; do
head -c 1M </dev/urandom > site/test-$i.txt ;
done;
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: projects/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
service_account: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
- name: Publish report
uses: google-github-actions/upload-cloud-storage@v2
with:
path: ./site
destination: zzzzzzzzzzzzzzzzzzzzz
parent: false
process_gcloudignore: false
gzip: falseI tried to modify this action to use the transfer manager ( main...GregoireW:upload-cloud-storage:main ) , but no luck there apparently |
|
Hi @GregoireW - I did some digging, and I think this is happening in the GCS library and/or Google Auth library itself. I have three theories from tracing the code:
|
|
Hi @sethvargo The My guess was also a missing lock issue on the authentication side, If I found time this week I will try to override the google authent. On a side note, if you use "gcloud storage cp ..." you have the same issue :/ |
In that case, I definitely think it's an upstream bug sadly. Are you able to file a bug against the google-auth library? Noting that it happens in multiple paths is helpful. We shouldn't be exchanging an STS token on each file upload. |
|
I started with the auth js lib, will see what will be the result. In the meantime I put a lock on the authentication ( https://github.com/GregoireW/upload-cloud-storage/blob/7a3d155590ac7d56d02e7c150065170c27de9366/src/client.ts#L305-L311 ) but clearly it slow down upload ( but at least I got only 2 token exchange api call ) I tried to set something like "if alreadyAuthenticated return super.request else lock (super.request)" when the first file are uploaded it is ok, only 1-2 api call to token exchange, then when authentication is done and the lock is not there anymore the number of call increase again. so ... |
Yea, you really need the lock around the call to the auth token, not the call to the object upload (but you don't have access to those internals at this scope). |
|
I refined the lock usage: With this I lock the authent only on the first call the number of call stay at 2, and the total duration is close to what it was without lock so until new thing, I guess I will stay with that. |
|
This should be resolved as of auth |
|
Thanks @danielbankhead - I think we need |
|
It should be automatically pulled in as it is a minor release (no manual update required). This can be verified via |
|
Ah great, thank you! |
|
Hum... unfortunately, the issue is not resolved with the latest version. The number STS api call is still high. |
|
Hmm - the new version definitely pulled in the latest version. |
|
I double-checked on the library side and I’m unable to reproduce on the latest version with the auth schemes mentioned. Is there any way you can confirm the auth client in use? |
|
The package lock reference a If I compile this action on my computer, thebuild is exactly the same, so it is |
|
Thanks for that information. Would it be possible to determine the resolved type of |
|
I did this in the actions: The log I get : |
|
I've completed a deep dive on this and I'm still unable to reproduce after the fix. However, I do see a path were it would attempt to request a new token each request; do you mind checking the auth.getClient().then((client) => {
console.log('The created client is: ', client);
client.on('tokens', (token) => console.dir({expiry_date: token.expiry_date});
client.getAccessToken();
});If the expiry is within 5 minutes it would be eagerly refreshed each time:
|
|
I got |
|
Thanks, with that I believe we're dealing with the I don't see much else we can do on the auth lib side to improve the experience. |
|
@danielbankhead is there anything I can do in this GitHub Action to re-use the auth client on API calls? |
|
in the I did set the authentication manually in the storage object: then I force an await before launching upload: it reduces the number of API call to 2. @danielbankhead is locking getClient is something possible on oauth side ? or should we put something like I did on client side ? |
That's an excellent point, I'll work on this on the auth side shortly. We haven't had this issue for any other |
|
Released in |
TL;DR
When we use this action with workload identity there is a high number of call made to the token exchange api endpoint.
By default the exchange token endpoint is rate limited to 6k per minutes. As I got some issue with this limit, I tracked down the usage, and this action is one of the few culprit I found.
Detailed design
No response
Additional information
I know this action is using the official @google-cloud/storage library, and I'm pretty sure it is something to be fix on this library but I hope it is ok to open this issue here.
The text was updated successfully, but these errors were encountered: