Determine this is the right repository
Summary of the issue
The IAM endpoints in google/auth/iam.py (_IAM_SIGN_ENDPOINT, _IAM_SIGNJWT_ENDPOINT, _IAM_ENDPOINT, and _IAM_IDTOKEN_ENDPOINT) are bound as static module-level variables at import time:
# google/auth/iam.py
if (
hasattr(_mtls_helper, "check_use_client_cert")
and _mtls_helper.check_use_client_cert()
):
_IAM_DOMAIN = f"iamcredentials.mtls.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
else:
_IAM_DOMAIN = f"iamcredentials.{credentials.DEFAULT_UNIVERSE_DOMAIN}"This static evaluation freezes the hostnames based on the mTLS/cert state at initial module load. This could breaks two flows:
- Late bootstrap config: Programmatic environment updates (e.g., setting
os.environ["GOOGLE_API_USE_CLIENT_CERTIFICATE"] = "true") or dynamically mounting certificates/configs after imports have run are completely ignored.
- Runtime identity transitions (GCE CUJ): Under the new GCE model where identities can change from SA to MWLID during runtime, the client cannot adapt its destination endpoints dynamically to match the updated certificate state.
Potential solution: Refactor google/auth/iam.py to resolve these endpoints dynamically. If we don't want it to evaluate the domain on every single call, we can cache it by leveraging @functools.cache, and later invalidating the caches once we add support for the GCE CJ.
In addition, no unit tests were added when the change to support mtls endpoints was added. Unit tests must be added to cover that the right endpoint is being triggered.
API client name and version
No response
Reproduction steps: code
No response
Reproduction steps: supporting files
No response
Reproduction steps: actual results
No response
Reproduction steps: expected results
No response
OS & version + platform
No response
Python environment
No response
Python dependencies
No response
Additional context
No response
Determine this is the right repository
Summary of the issue
The IAM endpoints in
google/auth/iam.py(_IAM_SIGN_ENDPOINT,_IAM_SIGNJWT_ENDPOINT,_IAM_ENDPOINT, and_IAM_IDTOKEN_ENDPOINT) are bound as static module-level variables at import time:This static evaluation freezes the hostnames based on the mTLS/cert state at initial module load. This could breaks two flows:
os.environ["GOOGLE_API_USE_CLIENT_CERTIFICATE"] = "true") or dynamically mounting certificates/configs after imports have run are completely ignored.Potential solution: Refactor
google/auth/iam.pyto resolve these endpoints dynamically. If we don't want it to evaluate the domain on every single call, we can cache it by leveraging@functools.cache, and later invalidating the caches once we add support for the GCE CJ.In addition, no unit tests were added when the change to support mtls endpoints was added. Unit tests must be added to cover that the right endpoint is being triggered.
API client name and version
No response
Reproduction steps: code
No response
Reproduction steps: supporting files
No response
Reproduction steps: actual results
No response
Reproduction steps: expected results
No response
OS & version + platform
No response
Python environment
No response
Python dependencies
No response
Additional context
No response