Hi all. I'm getting a timeout error from GCP when ...
# google-cloudl
limited-rain-96205
05/01/2020, 5:53 PMHi all. I'm getting a timeout error from GCP when trying to do ... well, anything really:
Copy code
debug: Dismissed an error as retryable. marked as timeout - Post <https://oauth2.googleapis.com/token>: dial tcp: i/o timeoutlimited-rain-96205
05/01/2020, 6:00 PMAnother thing: we're using GCS for state management, and Pulumi doesn't have any problem doing that over our VPN. So this seems specific to how the GCP provider is authenticating with Google.
g
gentle-diamond-70147
05/01/2020, 6:40 PMDoes it timeout 100% of the time? or only part of the time?
l
limited-rain-96205
05/01/2020, 7:37 PM100% of the time if I am on our VPN, yes.
g
gentle-diamond-70147
05/01/2020, 7:50 PMWhat do you get as the output of
curl -v <https://oauth2.googleapis.com/token>l
limited-rain-96205
05/01/2020, 8:02 PM Copy code
$ curl -v <https://oauth2.googleapis.com/token>
* Trying 172.217.14.234...
* TCP_NODELAY set
* Connected to <http://oauth2.googleapis.com|oauth2.googleapis.com> (172.217.14.234) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=<http://upload.video.google.com|upload.video.google.com>
* start date: Apr 7 09:48:36 2020 GMT
* expire date: Jun 30 09:48:36 2020 GMT
* subjectAltName: host "<http://oauth2.googleapis.com|oauth2.googleapis.com>" matched cert's "*.<http://googleapis.com|googleapis.com>"
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffb75000000)
> GET /token HTTP/2
> Host: <http://oauth2.googleapis.com|oauth2.googleapis.com>
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 404
< content-type: text/html
< date: Fri, 01 May 2020 20:00:21 GMT
< server: scaffolding on HTTPServer2
< content-length: 0
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< alt-svc: h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host <http://oauth2.googleapis.com|oauth2.googleapis.com> left intact
* Closing connection 0limited-rain-96205
05/01/2020, 8:06 PMThere's no difference in response whether I'm on the VPN or not.
limited-rain-96205
05/01/2020, 8:35 PMIs there any documentation on the exact Oauth2 call that's being done by the GCP Provider? If we could get it as a curl, it would make tracing this easier.
g
gentle-diamond-70147
05/01/2020, 9:31 PMNo, I don't believe we have documentation at that level, but you can enable verbose logging (https://www.pulumi.com/docs/troubleshooting/#verbose-logging) to get more information on the specific request.