google-cloud-node icon indicating copy to clipboard operation
google-cloud-node copied to clipboard

How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ?

Open Ruthwik opened this issue 1 year ago • 4 comments

We are using Nodejs MetricServiceClient/KeyManagementServiceClient client in our product. How do we enable server certificate verification in the MetricServiceClient/KeyManagementServiceClient client? We want to enable client-side verification of server certificates with our CA bundle. We've explored the options of MetricServiceClient/KeyManagementServiceClient but couldn't find any.

In the case of other cloud providers we have found a way to pass the CA bundle in the options where the client verifies.

Example for AWS

const nodeOptions = {
    httpsAgent: new https.Agent({
        rejectUnauthorized: true,
        ca: caBundle,
        maxVersion
    }),
};

const requestHandler =  new NodeHttpHandler(nodeOptions);
const athena = new AthenaClient({ credentials, region : 'us-east-1', requestHandler });

In the above example, If rejectUnauthorized is true the server will reject any connection which is not authorized with the list of supplied CAs. I also found the it is different for services and client in google nodejs SDK.

@beccasaurus @blowmage

Ruthwik avatar Jun 11 '24 10:06 Ruthwik

I am also facing the similar issue. Did you find any solution?

guru1306 avatar Jun 20 '24 04:06 guru1306

I don't think this can be done through grpc, see. However, I do think this could be done using our REST transport. You should be able to configure a client to use mTLS or use the agent parameter like bigquery. In order to do this you'll need to instantiate using the googleapis library, like so:

const {google} = require('googleapis/cloudkms');
const cloudkms = google.cloudkms('v1');

and in the request, you can send a second parameter (options) that extends GaxiosOptions

sofisl avatar Jul 10 '24 03:07 sofisl

@Ruthwik did this work for you?

sofisl avatar Jul 18 '24 16:07 sofisl

@sofisl I will post here once I try these changes. It requires a change of our current libraries.

'@google-cloud/kms'

Is it also the same for monitoring client? '@google-cloud/monitoring'

Ruthwik avatar Jul 19 '24 03:07 Ruthwik

Yes, it should. Closing for now to try and keep queue clean - please open a new issue if this doesn't work for you!

sofisl avatar Feb 08 '25 01:02 sofisl