feat: add experimental GDCH support #1022
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
arithmetic1728
force-pushed
the
gdch_review
branch
from
03c578a to
55a16cb
Compare
arithmetic1728
force-pushed
the
gdch_review
branch
from
a51e975 to
95dfce8
Compare
sai-sunder-s
approved these changes
May 10, 2022
sai-sunder-s
approved these changes
May 10, 2022
arithmetic1728
added a commit
that referenced
this pull request
May 13, 2022
This reverts commit 5367aac.
arithmetic1728
added a commit
that referenced
this pull request
May 13, 2022
gcf-merge-on-green bot
pushed a commit
that referenced
this pull request
Jun 7, 2022
🤖 I have created a release *beep* *boop* --- ## [2.7.0](v2.6.6...v2.7.0) (2022-06-07) ### Features * add experimental enterprise cert support ([#1052](#1052)) ([dda7dda](dda7dda)) * add experimental GDCH support ([#1022](#1022)) ([5367aac](5367aac)) * Pluggable auth support ([#995](#995)) ([62daa73](62daa73)) ### Bug Fixes * validate urls for external accounts ([#1031](#1031)) ([61b1f15](61b1f15)) ### Reverts * pluggable auth support [#995](#995) ([#1039](#1039)) ([513d999](513d999)) * revert experimental GDCH support ([#1022](#1022)) ([#1042](#1042)) ([c720995](c720995)) ### Documentation * fix changelog header to consistent size ([#1046](#1046)) ([e64d084](e64d084)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
parthea
pushed a commit
to googleapis/google-cloud-python
that referenced
this pull request
Nov 26, 2025
🤖 I have created a release *beep* *boop* --- ## [2.7.0](googleapis/google-auth-library-python@v2.6.6...v2.7.0) (2022-06-07) ### Features * add experimental enterprise cert support ([#1052](googleapis/google-auth-library-python#1052)) ([dda7dda](googleapis/google-auth-library-python@dda7dda)) * add experimental GDCH support ([#1022](googleapis/google-auth-library-python#1022)) ([5367aac](googleapis/google-auth-library-python@5367aac)) * Pluggable auth support ([#995](googleapis/google-auth-library-python#995)) ([62daa73](googleapis/google-auth-library-python@62daa73)) ### Bug Fixes * validate urls for external accounts ([#1031](googleapis/google-auth-library-python#1031)) ([61b1f15](googleapis/google-auth-library-python@61b1f15)) ### Reverts * pluggable auth support [#995](googleapis/google-auth-library-python#995) ([#1039](googleapis/google-auth-library-python#1039)) ([513d999](googleapis/google-auth-library-python@513d999)) * revert experimental GDCH support ([#1022](googleapis/google-auth-library-python#1022)) ([#1042](googleapis/google-auth-library-python#1042)) ([c720995](googleapis/google-auth-library-python@c720995)) ### Documentation * fix changelog header to consistent size ([#1046](googleapis/google-auth-library-python#1046)) ([e64d084](googleapis/google-auth-library-python@e64d084)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
internal doc: go/gdch-python-auth-lib
experimental support for GDCH (Google Distributed Cloud Hosted) credentials.
Besides the constructor, a GDCH credential can be created via application default credentials.
To do so, user first creates a JSON file of the following format::
Here "k8s_*" files are used to request a k8s token from k8s token endpoint using mutual TLS connection. The k8s token is then sent to AIS token endpoint to exchange for an AIS token. The AIS token will be used to talk to Google API services.
"k8s_ca_cert_path" field is not needed if the k8s server uses well known CA. "ais_ca_cert_path" field is not needed if the AIS server uses well known CA. These two fields can be used for testing environments.
The "format_version" field stands for the format of the JSON file. For now it is always "v1".
After the JSON file is created, set
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the JSON file path, then use the following code to create the credential::The audience denotes the scope the AIS token is requested, for example, it could be either a k8s cluster or API service.