iframe-proxy

agrawalradhika-cell · 2025-12-04T10:27:17Z

The Python SDK will use a hybrid approach for mTLS enablement:

If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set (either true or false or any value), the SDK will respect that setting. This is necessary for test scenarios and users who need to explicitly control mTLS behavior.
If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set, the SDK will automatically enable mTLS only if it detects Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources. In other cases where the variable is not set, mTLS will remain disabled.

gemini-code-assist · 2025-12-04T10:27:39Z

Summary of Changes

Hello @agrawalradhika-cell, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Google Cloud Python SDK's handling of mutual TLS (mTLS) by introducing a more sophisticated and adaptive enablement mechanism. It prioritizes explicit user control through an environment variable while also enabling mTLS automatically in secure environments where specific certificate sources are detected. This change aims to improve security posture by default for supported authentication methods without requiring manual configuration, while maintaining flexibility for users who need precise control.

Highlights

Hybrid mTLS Enablement: Implements a new hybrid strategy for enabling mutual TLS (mTLS) in the Python SDK, balancing explicit user control with automatic detection.
Environment Variable Priority: The GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable now explicitly controls mTLS behavior if it is set (to any value).
Automatic Detection: If the environment variable is not set, mTLS is automatically enabled only when Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources are detected.
Default Disabled: mTLS remains disabled by default if the environment variable is not set and no supported certificate sources are found.
Refactored Logic: Introduced a new static method _use_client_cert_effective to centralize the mTLS enablement decision logic, leveraging google-auth's should_use_client_cert for automatic detection.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request introduces logic to automatically enable mTLS when supported certificates are detected, falling back to environment variables for older google-auth versions. The changes are mostly good refactorings to centralize this logic. However, I found a critical bug in google/cloud/storage/client.py where a module is used without being imported, which will lead to a NameError. I've suggested a fix for the import and also a refactoring to simplify some duplicated code in the same file.

chandra-siri · 2025-12-04T17:35:49Z

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

…sport.mtls Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

daniel-sanche

You can ignore my comments on the auto-generated code, those should have been left in the gapic-generator PR

Hand-wrritten changes LGTM

🤖 I have created a release *beep* *boop* --- ## [3.7.0](v3.6.0...v3.7.0) (2025-12-09) ### Features * Auto enable mTLS when supported certificates are detected ([#1637](#1637)) ([4e91c54](4e91c54)) * Send entire object checksum in the final api call of resumable upload ([#1654](#1654)) ([ddce7e5](ddce7e5)) * Support urllib3 >= 2.6.0 ([#1658](#1658)) ([57405e9](57405e9)) ### Bug Fixes * **bucket:** Move blob fails when the new blob name contains characters that need to be url encoded ([#1605](#1605)) ([ec470a2](ec470a2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Chandra Shekhar Sirimala <chandrasiri@google.com>

🤖 I have created a release *beep* *boop* --- ## [3.7.0](googleapis/python-storage@v3.6.0...v3.7.0) (2025-12-09) ### Features * Auto enable mTLS when supported certificates are detected ([#1637](googleapis/python-storage#1637)) ([4e91c54](googleapis/python-storage@4e91c54)) * Send entire object checksum in the final api call of resumable upload ([#1654](googleapis/python-storage#1654)) ([ddce7e5](googleapis/python-storage@ddce7e5)) * Support urllib3 >= 2.6.0 ([#1658](googleapis/python-storage#1658)) ([57405e9](googleapis/python-storage@57405e9)) ### Bug Fixes * **bucket:** Move blob fails when the new blob name contains characters that need to be url encoded ([#1605](googleapis/python-storage#1605)) ([ec470a2](googleapis/python-storage@ec470a2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Chandra Shekhar Sirimala <chandrasiri@google.com>

agrawalradhika-cell requested review from a team December 4, 2025 10:27

blunderbuss-gcf Bot assigned chandra-siri Dec 4, 2025

product-auto-label Bot added size: m Pull request size is medium. api: storage Issues related to the googleapis/python-storage API. labels Dec 4, 2025

gemini-code-assist Bot reviewed Dec 4, 2025

View reviewed changes

Comment thread google/cloud/storage/client.py Outdated

Comment thread google/cloud/storage/client.py Outdated

product-auto-label Bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Dec 5, 2025

agrawalradhika-cell added 4 commits December 5, 2025 22:23

feat: auto-enable mTLS when supported certificates are detected

9348bd9

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

feat: Update for using the should_use_client_cert in google.auth.tran…

7683ddf

…sport.mtls Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

fix: Minor lint and concise code

3c2eb71

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

chore: Add tests for tests/unit/gapic/storage_v2/test_storage.py

bfa8a2b

Signed-off-by: Radhika Agrawal <agrawalradhika@google.com>

agrawalradhika-cell force-pushed the update-mtls branch from 3840afe to bfa8a2b Compare December 5, 2025 16:53

daniel-sanche suggested changes Dec 5, 2025

View reviewed changes

Comment thread tests/unit/gapic/storage_v2/test_storage.py

Comment thread tests/unit/gapic/storage_v2/test_storage.py

Comment thread tests/unit/gapic/storage_v2/test_storage.py

daniel-sanche approved these changes Dec 5, 2025

View reviewed changes

Linchin self-requested a review December 5, 2025 21:15

Linchin approved these changes Dec 5, 2025

View reviewed changes

daniel-sanche added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 5, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 5, 2025

Merge branch 'main' into update-mtls

eda8cd2

daniel-sanche added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 8, 2025

daniel-sanche enabled auto-merge (squash) December 8, 2025 18:38

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 8, 2025

daniel-sanche merged commit 4e91c54 into googleapis:main Dec 8, 2025
14 checks passed

release-please Bot mentioned this pull request Dec 8, 2025

chore(main): release 3.7.0 #1621

Merged

vchudnov-g mentioned this pull request Jan 12, 2026

chore: librarian release pull request: 20260112T135255Z #1701

Closed

Sunbelt Computer Software

PL/B Language Development and Support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Auto enable mTLS when supported certificates are detected#1637

feat: Auto enable mTLS when supported certificates are detected#1637
daniel-sanche merged 5 commits into
googleapis:mainfrom
agrawalradhika-cell:update-mtls

agrawalradhika-cell commented Dec 4, 2025

Uh oh!

gemini-code-assist Bot commented Dec 4, 2025

Uh oh!

gemini-code-assist Bot left a comment

Uh oh!

Uh oh!

Uh oh!

chandra-siri commented Dec 4, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

daniel-sanche left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

agrawalradhika-cell commented Dec 4, 2025

Uh oh!

gemini-code-assist Bot commented Dec 4, 2025

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

chandra-siri commented Dec 4, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

daniel-sanche left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants