Skip to content

feat: Add TrustBoundaries support for ExternalAccounts. #1836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: feat-tb-sa
Choose a base branch
from
Open

feat: Add TrustBoundaries support for ExternalAccounts. #1836

wants to merge 18 commits into from
+518 −45

Conversation

@vverman
Copy link
Contributor

@vverman vverman commented Oct 27, 2025

Added logic and unit tests for trust boundary for external accounts. This PR covers

  1. Workload authentication.
  2. Workforce authentication. (headful and headless)
  3. Service account impersonation for workloads and workforces.

This PR is a followup of the initial PR for Trust Boundaries for Service accounts.

vverman added 10 commits October 24, 2025 13:15
@vverman
Initial Changes for trust boundary structure without TB enabled check…
d305b2f 
… and header value.

# Conflicts:
#	oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

# Conflicts:
#	oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java
#	oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
#	oauth2_http/java/com/google/auth/oauth2/TrustBoundary.java
@vverman
Added changes to authenticate TB endpoint, add correct TB headers.
c17e26d
@vverman
Added unit tests for Trust Boundary for Service accounts. Updated. th…
2b486bd 
…e trust boundary enabler env variable
@vverman
Formatting changes
63f508b
@vverman
Trust Boundary Recovery
5bddb2f
@vverman
Changed key for encodedLocations and changed tests.
9fb3547
@vverman
minor fixes
dab6d3b
@vverman
External Account Initial Changes.
d58147c
@vverman
Added tests for all excepting ExternalAccountCredentials.
283d8b5
@vverman
Added tests for ExternalAccountCredentials trust boundary. Added comm…
b4e5199 
…ents regarding a separate mock for trust boundary.
@vverman vverman requested review from a team as code owners October 27, 2025 18:13
@product-auto-label product-auto-label bot added the size: l Pull request size is large. label Oct 27, 2025
@vverman vverman force-pushed the feat/trust-boundary-external-account branch from fb18c0c to 458bad4 Compare October 27, 2025 23:24
@vverman vverman self-assigned this Oct 29, 2025
@vverman vverman requested review from lqiu96 and nbayati October 29, 2025 17:57
@vverman vverman added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Oct 29, 2025
nbayati
nbayati reviewed Oct 30, 2025
View reviewed changes
@vverman vverman requested a review from nbayati October 30, 2025 22:11
nbayati
nbayati reviewed Oct 30, 2025
View reviewed changes
@vverman vverman requested a review from lqiu96 October 31, 2025 21:21
@lqiu96
Copy link
Member

lqiu96 commented Nov 3, 2025

I think things generally LGTM. I will do a second pass for the tests below.

nbayati
nbayati reviewed Nov 3, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java Outdated
AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
// After the impersonated credential refreshes, its trust boundary is
// also refreshed. That is the trust boundary we will use.
// We use the impersonated account's credential as the trust boundary
Copy link
Contributor

@nbayati nbayati Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think the previous comment was more clear.

nbayati
nbayati approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@nbayati nbayati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great job! :)

@product-auto-label product-auto-label bot added size: xl Pull request size is extra large. and removed size: l Pull request size is large. labels Nov 4, 2025
@vverman vverman force-pushed the feat/trust-boundary-external-account branch from 01eb20d to 2071071 Compare November 4, 2025 06:31
@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: xl Pull request size is extra large. labels Nov 4, 2025
@vverman vverman requested a review from lqiu96 November 4, 2025 19:00
lqiu96
lqiu96 reviewed Nov 5, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
Comment on lines +342 to +344
protected void setTrustBoundary(TrustBoundary trustBoundary) {
this.trustBoundary = trustBoundary;
}
Copy link
Member

@lqiu96 lqiu96 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this still needed?

lqiu96
lqiu96 reviewed Nov 5, 2025
View reviewed changes
oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
.setSubjectTokenType("subjectTokenType")
.build();

awsCredential.refreshAccessToken();
Copy link
Member

@lqiu96 lqiu96 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think most of the other test classes use .refresh()

lqiu96
lqiu96 reviewed Nov 5, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
Comment on lines +650 to +652
throw new IllegalStateException(
"The provided audience is not in a valid format for either a workload identity pool or a workforce pool.");
}
Copy link
Member

@lqiu96 lqiu96 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: If possible, is there an official doc that we can link to with the format for workload pool and workforce pool?

lqiu96
lqiu96 reviewed Nov 5, 2025
View reviewed changes
oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java
Comment on lines +232 to +233
throw new IllegalStateException(
"The provided audience is not in the correct format for a workforce pool.");
Copy link
Member

@lqiu96 lqiu96 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: If possible, can we link to a public offical doc that has the format for workforce pool?

lqiu96
lqiu96 approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@lqiu96 lqiu96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I added a few nits that may need additional code changes (feel free to resolve if it's not possible). I can re-approve afterwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lqiu96 lqiu96 lqiu96 approved these changes

@nbayati nbayati nbayati approved these changes

Assignees

@vverman vverman

Labels

do not merge Indicates a pull request not ready for merge, due to either quality or timing. size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vverman @lqiu96 @nbayati