googleapis
How to enable server certificate verification on the Nodejs clients like MetricServiceClient/KeyManagementServiceClient for Mutual TLS ?
We are using Nodejs MetricServiceClient/KeyManagementServiceClient client in our product. How do we enable server certificate verification in the MetricServiceClient/KeyManagementServiceClient client? We want to enable client-side verification of server certificates with our CA bundle. We've explored the options of MetricServiceClient/KeyManagementServiceClient but couldn't find any.
In the case of other cloud providers we have found a way to pass the CA bundle in the options where the client verifies.
Example for AWS
const nodeOptions = {
httpsAgent: new https.Agent({
rejectUnauthorized: true,
ca: caBundle,
maxVersion
}),
};
const requestHandler = new NodeHttpHandler(nodeOptions);
const athena = new AthenaClient({ credentials, region : 'us-east-1', requestHandler });
In the above example, If rejectUnauthorized is true the server will reject any connection which is not authorized with the list of supplied CAs. I also found the it is different for services and client in google nodejs SDK.
@beccasaurus @blowmage
I don't think this can be done through grpc, see. However, I do think this could be done using our REST transport. You should be able to configure a client to use mTLS or use the agent parameter like bigquery. In order to do this you'll need to instantiate using the googleapis library, like so:
const {google} = require('googleapis/cloudkms');
const cloudkms = google.cloudkms('v1');
and in the request, you can send a second parameter (options) that extends GaxiosOptions
@sofisl I will post here once I try these changes. It requires a change of our current libraries.
'@google-cloud/kms'
Is it also the same for monitoring client? '@google-cloud/monitoring'
Yes, it should. Closing for now to try and keep queue clean - please open a new issue if this doesn't work for you!