crane: fails to load URL-sourced environment credentials

[joaodrp]

Describe the bug

I'm testing a workload identity federation setup from GitLab. crane seems to fail to identity environment credentials while the gcloud CLI succeeds. This behaviour seems to go against what was described in #1496 (comment).

I'm setting both CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE and GOOGLE_APPLICATION_CREDENTIALS environment variables to the path of a JSON file with the following content:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/604150606412/locations/global/workloadIdentityPools/issue-reproduce/providers/issue-reproduce",
  "token_url": "https://sts.googleapis.com/v1/token",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "credential_source": {
    "url": "https://auth.gcp.gitlab.com/token",
    "headers": {
      "Authorization": "Bearer TRUNCATED"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "token"
    }
  }
}

I then try to list artifacts in an Artifact Registry repository, and crane returns the error No matching credentials were found for "us-east1-docker.pkg.dev". However, doing the same with gcloud works just fine.

The only way I got this to work with crane was to use docker-credential-gcr or gcloud auth configure-docker to configure auth.

So it seems that crane fails to identity the environment credentials, and the only fallback that works is the Docker config (if any).

To Reproduce

This is based on an experimental GitLab feature that is not yet released. I can give access to a maintainer from Google for debug purposes if needed.

Expected behavior

crane is able to identify and use environment credentials.

Additional context

Here are some logs. I'm using the latest (v0.19.0) version of crane.

crane 🔴

crane-nok.log

gcloud 🟢

gcloud-ok.log

crane + docker config 🟢

crane-ok.log

Local test 🔴 🟢

I get the exact same result (crane does not work, gcloud does) when running this locally.

local.log