fix(auth): fail-fast on invalid or non-workload certificate configs in agent identity discovery#17116
Merged
chalmerlowe merged 5 commits intoMay 15, 2026
googleapis:maingoogleapis/google-cloud-python:mainfrom
nbayati:fix-agent-bound-token-cert-discoverynbayati/google-cloud-python:fix-agent-bound-token-cert-discoveryCopy head branch name to clipboard
Merged
fix(auth): fail-fast on invalid or non-workload certificate configs in agent identity discovery#17116chalmerlowe merged 5 commits intogoogleapis:maingoogleapis/google-cloud-python:mainfrom nbayati:fix-agent-bound-token-cert-discoverynbayati/google-cloud-python:fix-agent-bound-token-cert-discoveryCopy head branch name to clipboard
chalmerlowe merged 5 commits into
googleapis:maingoogleapis/google-cloud-python:mainfrom
nbayati:fix-agent-bound-token-cert-discoverynbayati/google-cloud-python:fix-agent-bound-token-cert-discoveryCopy head branch name to clipboard
Conversation
…n agent identity discovery The `GOOGLE_API_CERTIFICATE_CONFIG` environment variable is shared between Managed Workload Identity (MWLID) token-binding and other flows like Enterprise Certificate Provider (ECP) configs (e.g., PKCS#11). When this env var is set, agent identity discovery is triggered. If the config file exists but lacks the `"workload"` section (as with ECP configurations),we should exit early and return `None` to avoid delaying non-workload flows. In addition, if the config file on disk had syntax errors or invalid JSON, the previous logic entered a 30-second blocking retry loop before failing with `RefreshError`. To resolve this, the lookup logic now assumes that if the config file exists on disk, it is in its final format. If the file exists but lacks a `"workload"` section, has syntax errors, or is unreadable, we return `None` immediately to fail-fast and avoid startup delays.
Contributor
There was a problem hiding this comment.
Code Review
This pull request refactors the get_agent_identity_certificate_path function to support a well-known workload directory fallback and improves the robustness of configuration parsing with better type checking and fail-fast logic. New test cases were added to cover various invalid configuration scenarios. Feedback was provided to add an explicit type check for the cert_configs dictionary to prevent a potential AttributeError and to raise an error instead of returning None for malformed configurations.
agrawalradhika-cell
approved these changes
May 14, 2026
agrawalradhika-cell
left a comment
Contributor
There was a problem hiding this comment.
Provided some minor comments, rest looks good!
…g agent certificate configuration
…ound for failing docs checks
This was referenced May 15, 2026
suztomo
added a commit
that referenced
this pull request
May 15, 2026
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v0.13.0 Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:234b9d1f2ddb057ed7ac6a38db0bf8163d839c65c6cf88ade52530cddebce59e <details><summary>google-auth: v2.53.0</summary> ## [v2.53.0](suztomo/google-cloud-python@google-auth-v2.52.0...google-auth-v2.53.0) (2026-05-15) ### Bug Fixes * allowlist agents-nonprod trust domains for agent identity (#17155) ([44c93d2](suztomo@44c93d2e)) * fail-fast on invalid or non-workload certificate configs in agent identity discovery (#17116) ([f27a546](suztomo@f27a5461)) </details> b/513591686
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
GOOGLE_API_CERTIFICATE_CONFIGenvironment variable is shared between Managed Workload Identity (MWLID) token-binding and other flows like Enterprise Certificate Provider (ECP) configs (e.g., PKCS#11).When this env var is set, agent identity discovery is triggered. If the config file exists but lacks the
"workload"section (as with ECP configurations),we should exit early and returnNoneto avoid delaying non-workload flows.In addition, if the config file on disk had syntax errors or invalid JSON, the previous logic entered a 30-second blocking retry loop before failing with
RefreshError. To resolve this, the lookup logic now assumes that if the config file exists on disk, it is in its final format. If the file exists but lacks a"workload"section, has syntax errors, or is unreadable, we returnNoneimmediately to fail-fast and avoid startup delays.b/512912028
fixes #17145