feat: add GCP Authentication Support#752
Merged
yuzisun merged 12 commits intoenvoyproxy:mainfrom Jul 2, 2025
Merged
Conversation
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
sukumargaonkar
changed the title
Closed
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
sukumargaonkar
changed the title
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
yuzisun
reviewed
Jun 27, 2025
yuzisun
reviewed
Jun 27, 2025
yuzisun
reviewed
Jun 27, 2025
yuzisun
reviewed
Jun 27, 2025
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
Contributor
Author
|
The current CI failure is related to test-coverage in |
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
yuzisun
reviewed
Jun 28, 2025
aabchoo
reviewed
Jun 30, 2025
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net> # Conflicts: # api/v1alpha1/api.go # go.sum
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
yuzisun
approved these changes
Jul 2, 2025
mathetake
reviewed
Jul 2, 2025
Comment on lines
+17
to
+20
| GCPModelPublisherGoogle = "google" | ||
| GCPModelPublisherAnthropic = "anthropic" | ||
| GCPMethodGenerateContent = "generateContent" | ||
| HTTPHeaderKeyContentLength = "Content-Length" |
| } | ||
| } | ||
|
|
||
| func validateGCPCredentialsParams(gcpCreds *aigv1a1.BackendSecurityPolicyGCPCredentials) error { |
Member
There was a problem hiding this comment.
shouldn't all of this condition be part of k8s CEL validation? (If so, it's redundant)
mathetake
reviewed
Jul 2, 2025
|
|
||
| // serviceAccountTokenGenerator defines a function type for generating a GCP service account access token | ||
| // using an STS token and impersonation configuration. | ||
| type serviceAccountTokenGenerator func( |
Member
There was a problem hiding this comment.
this needs a gcp prefix in the struct name
| // tokenTypeJWT indicates the subject token type is a JWT. | ||
| tokenTypeJWT = "urn:ietf:params:oauth:token-type:jwt" //nolint:gosec | ||
| // stsTokenScope is the OAuth scope for GCP cloud platform operations. | ||
| stsTokenScope = "https://www.googleapis.com/auth/cloud-platform" //nolint:gosec |
Member
There was a problem hiding this comment.
gcp prefix is needed here as well
|
|
||
| // stsTokenGenerator defines a function type for exchanging a JWT token for a GCP STS token | ||
| // using Workload Identity Federation configuration. | ||
| type stsTokenGenerator func( |
Member
There was a problem hiding this comment.
can you also add gcp prefix here
Comment on lines
+59
to
+62
| if len(hdr.Header.Value) > 0 { | ||
| suffixPath := hdr.Header.Value | ||
| hdr.Header.Value = fmt.Sprintf("%s/%s", prefixPath, suffixPath) | ||
| } |
Member
There was a problem hiding this comment.
i don't think you need this in practice. (Envoy's API naming is really bad here, but) we should stick to .RawValue for setting headers. (.Value is for formatter) https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-headervalue
Contributor
|
@sukumargaonkar can you take a look at @mathetake’s comments and address in the follow up PR? |
Member
|
@sukumargaonkar also could you add more unit test around here? |
This was referenced Jul 4, 2025
yuzisun
added a commit
that referenced
this pull request
Nov 11, 2025
**Description** GCP global region endpoint is different from regional endpoint. Current PR is to handle GCP global region to avoid segfault. Related PR: #752 --------- Signed-off-by: Xiaolin Lin <xlin158@bloomberg.net> Signed-off-by: Dan Sun <dsun20@bloomberg.net> Co-authored-by: Dan Sun <dsun20@bloomberg.net>
hustxiayang
pushed a commit
to hustxiayang/ai-gateway
that referenced
this pull request
Nov 13, 2025
**Description** GCP global region endpoint is different from regional endpoint. Current PR is to handle GCP global region to avoid segfault. Related PR: envoyproxy#752 --------- Signed-off-by: Xiaolin Lin <xlin158@bloomberg.net> Signed-off-by: Dan Sun <dsun20@bloomberg.net> Co-authored-by: Dan Sun <dsun20@bloomberg.net> Signed-off-by: yxia216 <yxia216@bloomberg.net>
missBerg
pushed a commit
to missBerg/ai-gateway
that referenced
this pull request
Dec 20, 2025
**Description** GCP global region endpoint is different from regional endpoint. Current PR is to handle GCP global region to avoid segfault. Related PR: envoyproxy#752 --------- Signed-off-by: Xiaolin Lin <xlin158@bloomberg.net> Signed-off-by: Dan Sun <dsun20@bloomberg.net> Co-authored-by: Dan Sun <dsun20@bloomberg.net> Signed-off-by: Erica Hughberg <erica.sundberg.90@gmail.com>
mtparet
pushed a commit
to blackfuel-ai/ai-gateway
that referenced
this pull request
Jan 14, 2026
**Description** GCP global region endpoint is different from regional endpoint. Current PR is to handle GCP global region to avoid segfault. Related PR: envoyproxy#752 --------- Signed-off-by: Xiaolin Lin <xlin158@bloomberg.net> Signed-off-by: Dan Sun <dsun20@bloomberg.net> Co-authored-by: Dan Sun <dsun20@bloomberg.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR add support for authenticating against GCP via external OIDC tokens. It uses google's Workload Identity Federation [1] to exchange an OIDC token for GCP's access token. It also support optional service account impersonation.
ProjectNameandRegionfield in BackendSecurityPolicyGCPCredentials1: https://cloud.google.com/iam/docs/workload-identity-federation
Related Issues/PRs (if applicable)
Previous PR: #635
Related Issue: #609