Skip to content
This repository was archived by the owner on Mar 3, 2026. It is now read-only.

sample: delete samples/snippets directory #1964

Closed
chalmerlowe wants to merge 20 commits into from
Closed

sample: delete samples/snippets directory #1964

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
92b42a1
Support the mTLS IAM domain for Certificate based Access
amtk3 Jan 15, 2026
af469a3
Update google/auth/iam.py
amtk3 Jan 15, 2026
94a0e77
Merge branch 'main' into support-mtls-iam-domain
chalmerlowe Jan 15, 2026
b52742b
updates handling of mtls and universe domain
chalmerlowe Jan 16, 2026
64cd681
updates linting
chalmerlowe Jan 16, 2026
e9ffe54
Merge branch 'main' into support-mtls-iam-domain
chalmerlowe Jan 16, 2026
bfe7081
Merge branch 'main' into support-mtls-iam-domain
daniel-sanche Jan 16, 2026
e2e2b9b
Support an alternative env to decide if mtls should be enabled
amtk3 Jan 19, 2026
f540519
feat(iam): support an alternative env to decide if mtls should be ena…
amtk3 Jan 19, 2026
6a3bf26
feat: add fallback env vars for mTLS config
google-labs-jules[bot] Jan 22, 2026
150511c
Merge pull request #3 from amtk3/mtls-env-vars-fallback-1336179603064…
amtk3 Jan 22, 2026
90793f1
Use "_mtls_helper" class
amtk3 Jan 22, 2026
3ae9e7a
Merge branch 'iam-mtls-alternative-env' into support-mtls-iam-domain
amtk3 Jan 22, 2026
7fdefea
Merge pull request #4 from amtk3/support-mtls-iam-domain
amtk3 Jan 22, 2026
471a0bc
Merge branch 'main' into iam-mtls-alternative-env
chalmerlowe Jan 29, 2026
6995e43
Apply suggestion from @chalmerlowe
chalmerlowe Jan 30, 2026
f62279f
moves tests to a more appropriate file.
chalmerlowe Jan 30, 2026
47015a8
removes no longer needed file.
chalmerlowe Jan 30, 2026
2d7f263
updates linting
chalmerlowe Jan 30, 2026
d5694e9
samples: delete samples/snippets directory
chalmerlowe Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions google/auth/environment_vars.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,18 @@
"""Environment variable defining the location of Google API certificate config
file."""

CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE = (
"CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE"
)
"""Environment variable controlling whether to use client certificate or not.
This variable is the fallback of GOOGLE_API_USE_CLIENT_CERTIFICATE."""

CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH = (
"CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH"
)
"""Environment variable defining the location of Google API certificate config
file. This variable is the fallback of GOOGLE_API_CERTIFICATE_CONFIG."""

GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES = (
"GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES"
)
Expand Down
23 changes: 7 additions & 16 deletions google/auth/iam.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,13 @@
import base64
import http.client as http_client
import json
import os

from google.auth import _exponential_backoff
from google.auth import _helpers
from google.auth import credentials
from google.auth import crypt
from google.auth import exceptions
from google.auth.transport import mtls
from google.auth.transport import _mtls_helper

IAM_RETRY_CODES = {
http_client.INTERNAL_SERVER_ERROR,
Expand All @@ -40,20 +39,12 @@

_IAM_SCOPE = ["https://www.googleapis.com/auth/iam"]

# 1. Determine if we should use mTLS.
# Note: We only support automatic mTLS on the default googleapis.com universe.
if hasattr(mtls, "should_use_client_cert"):
use_client_cert = mtls.should_use_client_cert()
else: # pragma: NO COVER
# if unsupported, fallback to reading from env var
use_client_cert = (
os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false").lower() == "true"
)

# 2. Construct the template domain using the library's DEFAULT_UNIVERSE_DOMAIN constant.
# This ensures that the .replace() calls in the classes will work correctly.
if use_client_cert:
# We use the .mtls. prefix only for the default universe template
# Determine if we should use mTLS.
if (
hasattr(_mtls_helper, "check_use_client_cert")
and _mtls_helper.check_use_client_cert()
):
# Construct the template domain using the library's DEFAULT_UNIVERSE_DOMAIN constant.
_IAM_DOMAIN = f"iamcredentials.mtls.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
else:
_IAM_DOMAIN = f"iamcredentials.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
Expand Down
23 changes: 20 additions & 3 deletions google/auth/transport/_mtls_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,14 @@ def _get_cert_config_path(certificate_config_path=None):
if env_path is not None and env_path != "":
certificate_config_path = env_path
else:
certificate_config_path = CERTIFICATE_CONFIGURATION_DEFAULT_PATH
env_path = environ.get(
environment_vars.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH,
None,
)
if env_path is not None and env_path != "":
certificate_config_path = env_path
else:
certificate_config_path = CERTIFICATE_CONFIGURATION_DEFAULT_PATH

certificate_config_path = path.expanduser(certificate_config_path)
if not path.exists(certificate_config_path):
Expand Down Expand Up @@ -452,13 +459,23 @@ def check_use_client_cert():
Returns:
bool: Whether the client certificate should be used for mTLS connection.
"""
use_client_cert = getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE")
use_client_cert = getenv(environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE)
if use_client_cert is None or use_client_cert == "":
use_client_cert = getenv(
environment_vars.CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE
)
Comment on lines +462 to +466
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The logic for determining use_client_cert can be made more concise by using the or operator.

    use_client_cert = getenv(
        environment_vars.GOOGLE_API_USE_CLIENT_CERTIFICATE
    ) or getenv(environment_vars.CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE)


# Check if the value of GOOGLE_API_USE_CLIENT_CERTIFICATE is set.
if use_client_cert:
return use_client_cert.lower() == "true"
else:
# Check if the value of GOOGLE_API_CERTIFICATE_CONFIG is set.
cert_path = getenv("GOOGLE_API_CERTIFICATE_CONFIG")
cert_path = getenv(environment_vars.GOOGLE_API_CERTIFICATE_CONFIG)
if cert_path is None:
cert_path = getenv(
environment_vars.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH
)
Comment on lines +473 to +477
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This logic for determining cert_path can also be simplified using the or operator. This also makes the handling of an empty string consistent with how use_client_cert is handled.

        cert_path = getenv(
            environment_vars.GOOGLE_API_CERTIFICATE_CONFIG
        ) or getenv(
            environment_vars.CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH
        )


if cert_path:
try:
with open(cert_path, "r") as f:
Expand Down
55 changes: 0 additions & 55 deletions samples/cloud-client/snippets/authenticate_explicit_with_adc.py
View file
Open in desktop

This file was deleted.

46 changes: 0 additions & 46 deletions samples/cloud-client/snippets/authenticate_implicit_with_adc.py
View file
Open in desktop

This file was deleted.

117 changes: 0 additions & 117 deletions samples/cloud-client/snippets/custom_aws_supplier.py
View file
Open in desktop

This file was deleted.

Loading