Skip to content

[Logs] Deliver GCP logging credential to a readable remote path#9991

Open
aylei wants to merge 1 commit into
masterfrom
aylei/fix-gcp-logging-cred-delivery
Open

[Logs] Deliver GCP logging credential to a readable remote path#9991
aylei wants to merge 1 commit into
masterfrom
aylei/fix-gcp-logging-cred-delivery

Conversation

@aylei

@aylei aylei commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

logs.gcp.credentials_file is uploaded to clusters and exported as GOOGLE_APPLICATION_CREDENTIALS for the fluent-bit stackdriver output. Two cases were broken:

  • The credential was uploaded to the same path it has on the API server and used verbatim on the cluster. When that path is under a home the cluster's runtime user cannot read (e.g. /root while the cluster runs as a non-root user), fluent-bit cannot open the key and stackdriver initialization fails — silently, since on GKE the setup falls back to the metadata server and the agent still starts but never authenticates.
  • The configured path may be a symlink (e.g. a Kubernetes Secret mounted as a volume); the file-mount upload does not follow it, so no real file lands on the cluster.

This resolves the configured path with expanduser + realpath (handling ~, relative paths, and symlinks) and delivers the resolved file to a fixed home-relative location, ~/.sky/logging/gcp_credentials.json, pointing GOOGLE_APPLICATION_CREDENTIALS there. Behavior is unchanged when no key is configured (application-default credentials / metadata server).

Test

  • New unit tests tests/unit_tests/test_sky/logs/test_gcp.py: symlink resolution, ~ expansion, and that the setup command exports GOOGLE_APPLICATION_CREDENTIALS to the remote path when a key is set (and to the application-default path otherwise). pytest tests/unit_tests/test_sky/logs/test_gcp.py — 5 passed.
  • Manual (Kubernetes-hosted API server, non-root cluster user): confirmed that delivering the key to a home-relative path the runtime user can read is what lets the fluent-bit stackdriver output authenticate and ship task logs to Cloud Logging; the prior same-path behavior left the key unreadable and the agent failed to authenticate.

logs.gcp.credentials_file was uploaded to the same path it has on the API server and used directly as GOOGLE_APPLICATION_CREDENTIALS. This breaks two real cases: the source path lives under a home the cluster's runtime user cannot read (e.g. /root while the cluster runs as a non-root user), and the key is a symlink (e.g. a Kubernetes Secret mounted as a volume) that the file-mount upload does not follow.

Resolve the configured path with expanduser + realpath and deliver the resolved file to a fixed home-relative location (~/.sky/logging/gcp_credentials.json), pointing GOOGLE_APPLICATION_CREDENTIALS there. When no key is configured the behavior is unchanged (application-default credentials / metadata server).

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the GCP logging agent to deliver user-provided service-account keys to a fixed, home-relative remote path instead of using the source path. It resolves symlinks and expands user paths on the local credentials file before uploading, ensuring compatibility with Kubernetes Secrets and multi-user environments. Unit tests have been added to verify these behaviors. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@aylei

aylei commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

/smoke-test -k logging

@aylei

aylei commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

/smoke-test -k test_log_collection

@DanielZhangQD DanielZhangQD left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks! @aylei

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants