x509 cert fix (#15691)

NickElliot · web-flow · commit 525cea9d14cc · 2025-11-14T00:17:50.000Z
diff --git a/mmv1/third_party/terraform/transport/config.go.tmpl b/mmv1/third_party/terraform/transport/config.go.tmpl
@@ -1451,9 +1451,18 @@ func (c *Config) GetCredentials(clientScopes []string, initialCredentialsOnly bo
 				return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: %w", err)
 			}
 		} else {
-			creds, err = transport.Creds(context.Background(), option.WithScopes(clientScopes...))
-			if err != nil {
-				return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: %w", err)
+			if AreADCCredentialsX509() {
+				log.Printf("[INFO] Authenticating using EnableNewAuthLibrary")
+				creds, err = transport.Creds(context.Background(), option.WithScopes(clientScopes...), internaloption.EnableNewAuthLibrary())
+				if err != nil {
+					//this call should be backwards compatible, but this initial implementation ahead of the EnableNewAuthLibrary being made default for all googleapi authentication calls is only intended for it to be called on X.509 requests.
+					return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'. If you are recieving this error while not attempting to authenticate using X.509 certificates, please file an issue with the provider at https://github.com/hashicorp/terraform-provider-google/issues/new/choose. Original error: %w", err)
+				}
+			} else {
+				creds, err = transport.Creds(context.Background(), option.WithScopes(clientScopes...))
+				if err != nil {
+					return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: %w", err)
+				}
 			}
 		}
 	}
@@ -1481,6 +1490,36 @@ func (c *Config) GetCredentials(clientScopes []string, initialCredentialsOnly bo
 	return *creds, nil
 }
 
+// parse application default credentials to determine if they are X.509 certs
+func AreADCCredentialsX509() bool {
+	adcCreds := MultiEnvSearch([]string{
+		"GOOGLE_APPLICATION_CREDENTIALS",
+	})
+	if adcCreds != "" {
+		contents, _, err := verify.PathOrContents(adcCreds)
+		if err != nil {
+			return false
+		}
+
+		var content map[string]any
+		if err := json.Unmarshal([]byte(contents), &content); err != nil {
+			return false
+		}
+		if content["credential_source"] != nil {
+			if content["credential_source"].(map[string]any)["certificate"] != nil {
+				log.Printf("[INFO] Application Default Credentials identified as using X.509 certificates")
+				return true
+			} else {
+				return false
+			}
+		} else {
+			//ADC file does not contain x509 attribute
+			return false
+		}
+	}
+	return false
+}
+
 // Remove the `/{{"{{"}}version{{"}}"}}/` from a base path if present.
 func RemoveBasePathVersion(url string) string {
 	re := regexp.MustCompile(`(?P<base>http[s]://.*)(?P<version>/[^/]+?/$)`)
