Hi all. I'm getting a timeout error from GCP when ...
# google-cloud
Hi all. I'm getting a timeout error from GCP when trying to do ... well, anything really:
Copy code
debug: Dismissed an error as retryable. marked as timeout - Post <https://oauth2.googleapis.com/token>: dial tcp: i/o timeout
This only happens when on our corporate VPN, but it's a little baffling because I can ping and telnet to https://oauth2.googleapis.com/ just fine (as well as any *.googleapis.com address). Is there any way to get more information about the token call it's making, beyond debug mode?
Another thing: we're using GCS for state management, and Pulumi doesn't have any problem doing that over our VPN. So this seems specific to how the GCP provider is authenticating with Google.
Does it timeout 100% of the time? or only part of the time?
100% of the time if I am on our VPN, yes.
What do you get as the output of
curl -v <https://oauth2.googleapis.com/token>
Copy code
$ curl -v <https://oauth2.googleapis.com/token>
*   Trying
* Connected to <http://oauth2.googleapis.com|oauth2.googleapis.com> ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=<http://upload.video.google.com|upload.video.google.com>
*  start date: Apr  7 09:48:36 2020 GMT
*  expire date: Jun 30 09:48:36 2020 GMT
*  subjectAltName: host "<http://oauth2.googleapis.com|oauth2.googleapis.com>" matched cert's "*.<http://googleapis.com|googleapis.com>"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffb75000000)
> GET /token HTTP/2
> Host: <http://oauth2.googleapis.com|oauth2.googleapis.com>
> User-Agent: curl/7.64.1
> Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 404
< content-type: text/html
< date: Fri, 01 May 2020 20:00:21 GMT
< server: scaffolding on HTTPServer2
< content-length: 0
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< alt-svc: h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
* Connection #0 to host <http://oauth2.googleapis.com|oauth2.googleapis.com> left intact
* Closing connection 0
There's no difference in response whether I'm on the VPN or not.
Is there any documentation on the exact Oauth2 call that's being done by the GCP Provider? If we could get it as a curl, it would make tracing this easier.
No, I don't believe we have documentation at that level, but you can enable verbose logging (https://www.pulumi.com/docs/troubleshooting/#verbose-logging) to get more information on the specific request.