fix(auth): configure mTLS for impersonated credentials (#17404) · googleapis/google-cloud-python@57269d5 · GitHub
Skip to content

Commit 57269d5

Browse files
amtk3google-labs-jules[bot]
amtk3
and
google-labs-jules[bot]
authored
fix(auth): configure mTLS for impersonated credentials (#17404)
### Description This PR configures `AuthorizedSession` to support mutual TLS (mTLS) when refreshing impersonated ID tokens or signing bytes. ### Context When using impersonated credentials (e.g., via `gcloud auth print-identity-token --impersonate-service-account=...`) in environments where mTLS is enforced by Context Aware Access (CAA) policies, the requests fail with `401 UNAUTHENTICATED` (specifically `ACCESS_TOKEN_TYPE_UNSUPPORTED`). Although the endpoint correctly resolves to the mTLS domain (`iamcredentials.mtls.googleapis.com`), the underlying `AuthorizedSession` created in `impersonated_credentials.py` is never configured with the client certificate, causing the TLS handshake to lack the required client cert. ### Changes * **`google/auth/impersonated_credentials.py`**: * Added `authed_session.configure_mtls_channel()` in `Credentials.sign_bytes` right after the session is created. * Added `authed_session.configure_mtls_channel()` in `IDTokenCredentials.refresh` right after the session is created. * **`tests/test_impersonated_credentials.py`**: * Added `test_sign_bytes_configures_mtls` and `test_id_token_refresh_configures_mtls` unit tests to verify `configure_mtls_channel` is invoked. --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: amtk3 <254821816+amtk3@users.noreply.github.com>
1 parent 59fe7cf commit 57269d5

2 files changed

Lines changed: 45 additions & 0 deletions

File tree

packages/google-auth/google/auth/impersonated_credentials.py

Lines changed: 2 additions & 0 deletions

packages/google-auth/tests/test_impersonated_credentials.py

Lines changed: 43 additions & 0 deletions

0 commit comments

Comments
 (0)