SDK sends incorrect Content-Type: text/plain with Impersonated ADC, causing "Parse Error" on metadata operations #2683
Description
Please make sure you have searched for information in the following guides.
- Search the issues already opened: https://github.com/GoogleCloudPlatform/google-cloud-node/issues
- Search StackOverflow: http://stackoverflow.com/questions/tagged/google-cloud-platform+node.js
- Check our Troubleshooting guide: https://github.com/googleapis/google-cloud-node/blob/main/docs/troubleshooting.md
- Check our FAQ: https://github.com/googleapis/google-cloud-node/blob/main/docs/faq.md
- Check our libraries HOW-TO: https://github.com/googleapis/gax-nodejs/blob/main/client-libraries.md
- Check out our authentication guide: https://github.com/googleapis/google-auth-library-nodejs
- Check out handwritten samples for many of our APIs: https://github.com/GoogleCloudPlatform/nodejs-docs-samples
A screenshot that you have tested with "Try this API".
Tested via API and it works properly
Link to the code that reproduces this issue. A link to a public Github Repository or gist with a minimal reproduction.
https://gist.github.com/MatanyaP/5b814de23cad5b7fede94a9b04efdc91
A step-by-step description of how to reproduce the issue, based on the linked reproduction.
- Authenticate locally using Service Account Impersonation:
# This generates "Impersonated" type credentials
gcloud auth application-default login \
--impersonate-service-account=my-sa@my-project.iam.gserviceaccount.com
- Run the reproduction script from the gist
A clear and concise description of what the bug is, and what you expected to happen.
Description
When initializing the SDK with Application Default Credentials (ADC) configured for Service Account Impersonation (via gcloud auth application-default login --impersonate-service-account), the SDK incorrectly sets the HTTP request header Content-Type: text/plain for bucket metadata operations (such as bucket.create()).
Because the request body contains a JSON payload but the header declares it as plain text, the Google Cloud Storage API fails to parse the body and returns a 400 Parse Error.
Expected behavior:
The SDK should consistently set Content-Type: application/json for all JSON-based API requests, regardless of the underlying credential type (Impersonated, Compute, or Service Account Key). The operation should succeed just as it does when using standard Service Account keys or Cloud Run metadata credentials.
Affected Credential Type: Impersonated (via gcloud auth application-default login --impersonate-service-account), standard User ADC
Unaffected Credential Types: Compute (Cloud Run/GCE), JWT (Service Account Keys).
Environment Details
OS: macOS (Darwin ARM64)
Node.js version: v22.19.0
@google-cloud/storage version: 7.17.3
Authentication Method: ADC with Service Account Impersonation
A clear and concise description WHY you expect this behavior, i.e., was it a recent change, there is documentation that points to this behavior, etc. **
I expect this behavior because:
- API Specification: The Google Cloud Storage JSON API explicitly requires Content-Type: application/json for POST/PUT requests containing metadata (Reference: JSON API documentation).
- Inconsistency: This is likely a regression or edge-case failure. The SDK works correctly (sends application/json) when using other credential types, such as standard Service Account keys or native Cloud Run/Compute Engine credentials. The use of Impersonated credentials in local development should not alter the HTTP headers sent by the Storage client.