https://pulumi.com logo
#google-cloud
Title
# google-cloud
l

limited-rain-96205

05/01/2020, 5:53 PM
Hi all. I'm getting a timeout error from GCP when trying to do ... well, anything really:
Copy code
debug: Dismissed an error as retryable. marked as timeout - Post <https://oauth2.googleapis.com/token>: dial tcp: i/o timeout
This only happens when on our corporate VPN, but it's a little baffling because I can ping and telnet to https://oauth2.googleapis.com/ just fine (as well as any *.googleapis.com address). Is there any way to get more information about the token call it's making, beyond debug mode?
Another thing: we're using GCS for state management, and Pulumi doesn't have any problem doing that over our VPN. So this seems specific to how the GCP provider is authenticating with Google.
g

gentle-diamond-70147

05/01/2020, 6:40 PM
Does it timeout 100% of the time? or only part of the time?
l

limited-rain-96205

05/01/2020, 7:37 PM
100% of the time if I am on our VPN, yes.
g

gentle-diamond-70147

05/01/2020, 7:50 PM
What do you get as the output of
curl -v <https://oauth2.googleapis.com/token>
?
l

limited-rain-96205

05/01/2020, 8:02 PM
Copy code
$ curl -v <https://oauth2.googleapis.com/token>
*   Trying 172.217.14.234...
* TCP_NODELAY set
* Connected to <http://oauth2.googleapis.com|oauth2.googleapis.com> (172.217.14.234) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=<http://upload.video.google.com|upload.video.google.com>
*  start date: Apr  7 09:48:36 2020 GMT
*  expire date: Jun 30 09:48:36 2020 GMT
*  subjectAltName: host "<http://oauth2.googleapis.com|oauth2.googleapis.com>" matched cert's "*.<http://googleapis.com|googleapis.com>"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffb75000000)
> GET /token HTTP/2
> Host: <http://oauth2.googleapis.com|oauth2.googleapis.com>
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 404
< content-type: text/html
< date: Fri, 01 May 2020 20:00:21 GMT
< server: scaffolding on HTTPServer2
< content-length: 0
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< alt-svc: h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host <http://oauth2.googleapis.com|oauth2.googleapis.com> left intact
* Closing connection 0
There's no difference in response whether I'm on the VPN or not.
Is there any documentation on the exact Oauth2 call that's being done by the GCP Provider? If we could get it as a curl, it would make tracing this easier.
g

gentle-diamond-70147

05/01/2020, 9:31 PM
No, I don't believe we have documentation at that level, but you can enable verbose logging (https://www.pulumi.com/docs/troubleshooting/#verbose-logging) to get more information on the specific request.