Skip to content

fix(auth): exit early when agent cert config is outside well-known directory#17762

Merged
nbayati merged 6 commits into
googleapis:mainfrom
nbayati:skip-polling-if-not-explicitly-set
Jul 17, 2026
Merged

fix(auth): exit early when agent cert config is outside well-known directory#17762
nbayati merged 6 commits into
googleapis:mainfrom
nbayati:skip-polling-if-not-explicitly-set

Conversation

@nbayati

@nbayati nbayati commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

To prevent unnecessary startup latency, this updates the agent certificate retrieval to only poll when the config points to the well-known workload directory (where Cloud Run dynamically mounts files). For all other paths, it exits early.

  • Extracts config parsing into a dedicated helper function
  • Removes the hardcoded fallback to the well-known path when no config is provided
  • Adds test coverage for new logic

fixes b/522957573

…ectory

To prevent unnecessary startup latency, this updates the agent certificate retrieval to only poll when the config points to the well-known workload directory (where Cloud Run dynamically mounts files). For all other paths, it exits early.

- Extracts config parsing into a dedicated helper function
- Removes the hardcoded fallback to the well-known path when no config is provided
- Adds test coverage for new logic
@nbayati
nbayati requested review from a team as code owners July 17, 2026 06:42

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the agent identity certificate path retrieval logic in _agent_identity_utils.py by extracting configuration parsing and polling into dedicated helper functions, and conditionally disabling polling for paths outside the well-known directory to avoid startup delays. The review feedback recommends specifying encoding="utf-8" when opening the configuration file to ensure consistent cross-platform behavior.

Comment thread packages/google-auth/google/auth/_agent_identity_utils.py Outdated
@nbayati nbayati changed the title refactor: exit early when agent cert config is outside well-known directory fix(aith): exit early when agent cert config is outside well-known directory Jul 17, 2026
@parthea parthea added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Jul 17, 2026
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Jul 17, 2026
@lsirac lsirac changed the title fix(aith): exit early when agent cert config is outside well-known directory fix(auth): exit early when agent cert config is outside well-known directory Jul 17, 2026
# delays.
well_known_dir = os.path.dirname(_WELL_KNOWN_CERT_PATH)
has_well_known_dir = os.path.exists(well_known_dir)
should_poll = cert_config_path.startswith(well_known_dir)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using string prefix matching here is not safe and can create both false positives and false negatives (e.g. when paths contain symlinks, but not sure if that is something we need to handle).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I did some digging into the Cloud Run implementation, and it seems like CR doesn't use symlinks for these mounts (unlike Kubernetes), and it supplies a strict logical path to the environment variable. So we can safely fix the prefix vulnerability purely via string manipulation using os.path.abspath and os.path.commonpath without needing to hit the filesystem to resolve symlinks! I've updated the logic.

cert_config_path = os.environ.get(environment_vars.GOOGLE_API_CERTIFICATE_CONFIG)

# Check if the well-known workload directory is mounted.
if not cert_config_path:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We now return None when env var is not set. Is this intentional? Will this break anything?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is intentional. The goal of this change is to completely skip any filesystem checks (and polling) unless the feature is explicitly enabled via the GOOGLE_API_CERTIFICATE_CONFIG environment variable. Cloud Run injects this environment variable, so relying on it exclusively is safe. Removing the hardcoded fallback prevents us from introducing unnecessary I/O or startup delays for users who aren't using this feature (see b/522957573)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's test when the first attempt has the file missing, second attempt succeeds, and cert path is returned

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

return None
except (IOError, ValueError, KeyError) as e:
if cert_config_path and os.path.exists(cert_config_path):
if os.path.exists(cert_config_path):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we confirm if this is the correct behavior? Gemini says this breaks polling when Cloud Run rotates secret volumes.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what Gemini means by that, but the actual behavior didn't change, I just removed the redundant cert_config_path and truthiness check since we now guarantee it's not None at the top of the function.
So I don't think this would break or make any functional difference for CR.

@nbayati
nbayati requested a review from lsirac July 17, 2026 20:42

@lsirac lsirac left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just missing tests for the absolute path / startsWith change

@nbayati
nbayati enabled auto-merge (squash) July 17, 2026 22:52
@nbayati
nbayati merged commit 61e795a into googleapis:main Jul 17, 2026
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants