Skip to content

feat(auth): Add ProgrammaticSourcedCredentials #2541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Jun 30, 2025
Merged

feat(auth): Add ProgrammaticSourcedCredentials #2541

merged 17 commits into from
Jun 30, 2025

Conversation

@harkamaljot
Copy link
Collaborator

@harkamaljot harkamaljot commented Jun 27, 2025
edited
Loading

As part of allowing the user to provide their own subject token provider, this PR makes following changes:

Make SubjectTokenProvider trait public.
A new builder ProgrammaticSourcedCredentials is created to utilize this trait and a corresponding test case has been added.

@harkamaljot harkamaljot requested a review from a team as a code owner June 27, 2025 05:41
@harkamaljot harkamaljot marked this pull request as draft June 27, 2025 05:41
@harkamaljot harkamaljot changed the title draft(auth): draft change feat(auth): Add ProgrammaticSourcedCredentials Jun 27, 2025
@codecov
Copy link

codecov bot commented Jun 27, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 98.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 95.47%. Comparing base (b5c298d) to head (e648a7d).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
src/auth/src/credentials/external_account.rs 97.36% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2541      +/-   ##
==========================================
+ Coverage   95.34%   95.47%   +0.12%     
==========================================
  Files          79       81       +2     
  Lines        3224     3314      +90     
==========================================
+ Hits         3074     3164      +90     
  Misses        150      150

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@harkamaljot harkamaljot reopened this Jun 27, 2025
sai-sunder-s
sai-sunder-s reviewed Jun 27, 2025
View reviewed changes
src/auth/src/credentials/external_account.rs Outdated
Comment on lines 466 to 467
/// Sets the required token URL for the STS token exchange.
pub fn with_token_url<S: Into<String>>(mut self, token_url: S) -> Self {
Copy link
Contributor

@sai-sunder-s sai-sunder-s Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we can default to sts.googleapis.com. We do not have to force user into providing this. @leosiracusa thoughts?

Copy link
Collaborator Author

@harkamaljot harkamaljot Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah having a default here is better, I added a default here for now.

@harkamaljot harkamaljot reopened this Jun 27, 2025
@harkamaljot harkamaljot marked this pull request as ready for review June 27, 2025 17:18
@harkamaljot harkamaljot requested a review from sai-sunder-s June 27, 2025 17:18
@harkamaljot harkamaljot requested a review from alvarowolfx June 27, 2025 17:23
alvarowolfx
alvarowolfx reviewed Jun 27, 2025
View reviewed changes
coryan
coryan reviewed Jun 27, 2025
View reviewed changes
sai-sunder-s
sai-sunder-s reviewed Jun 27, 2025
View reviewed changes
@harkamaljot harkamaljot requested a review from sai-sunder-s June 28, 2025 00:20
@harkamaljot harkamaljot merged commit dcbb948 into googleapis:main Jun 30, 2025
23 checks passed
@harkamaljot harkamaljot deleted the custom-2 branch June 30, 2025 18:57
dbolduc
dbolduc reviewed Jun 30, 2025
View reviewed changes
Copy link
Member

@dbolduc dbolduc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also it looks like only the credentials::Builder heeds the GOOGLE_CLOUD_QUOTA_PROJECT env var. Is that env var only for ADC?

This was referenced Jul 1, 2025
Closed
Closed
@alvarowolfx alvarowolfx mentioned this pull request Jul 3, 2025
Closed
@harkamaljot
Copy link
Collaborator Author

harkamaljot commented Jul 7, 2025

GOOGLE_CLOUD_QUOTA_PROJECT

According to the guidance in AIP-4110, this variable is intended to specify a quota project for Application Default Credentials (ADC). I've also reviewed the Java implementation of this, and it confirms that GOOGLE_CLOUD_QUOTA_PROJECT is only used in the ADC workflow.

Currently, our api_key_credentials builder also reads this environment variable. So it shouldn't be reading this env variable value.

@dbolduc
Copy link
Member

dbolduc commented Jul 7, 2025

Ack, thanks for checking

@harkamaljot harkamaljot mentioned this pull request Jul 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbolduc dbolduc dbolduc left review comments

@alvarowolfx alvarowolfx alvarowolfx approved these changes

@sai-sunder-s sai-sunder-s sai-sunder-s approved these changes

@coryan coryan Awaiting requested review from coryan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@harkamaljot @dbolduc @alvarowolfx @sai-sunder-s @coryan