Skip to content

feat: Add trust boundary support for external accounts.#1809

Merged
nbayati merged 8 commits intogoogleapis:mainfrom
nbayati:feat/trust-boundary-external-account
Oct 7, 2025
Merged

feat: Add trust boundary support for external accounts.#1809
nbayati merged 8 commits intogoogleapis:mainfrom
nbayati:feat/trust-boundary-external-account

Conversation

@nbayati
Copy link
Contributor

@nbayati nbayati commented Aug 22, 2025
edited
Loading

Implements the trust boundary feature for external accounts (workforce and workload pool identity, and also authorized user)
Note: The design has changed since the first PR that implemented trust boundary for service accounts, and we are no longer required to send the allowed locations header to IAM or STS requests, only to the google API calls. You can review the most up to date design here: go/trust-boundaries-auth-sdk-v2

@nbayati nbayati requested review from a team as code owners August 22, 2025 22:23
@nbayati nbayati requested review from lsirac and sai-sunder-s August 22, 2025 23:04
@nbayati nbayati requested a review from a team as a code owner August 26, 2025 21:38
sai-sunder-s
sai-sunder-s reviewed Sep 12, 2025
View reviewed changes
tests/test_external_account_authorized_user.py

def test_build_trust_boundary_lookup_url(self):
credentials = self.make_credentials()
expected_url = "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/POOL_ID/allowedLocations"
Copy link
Contributor

@sai-sunder-s sai-sunder-s Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add few more cases:

  • rep instead of global
  • different universe

Copy link
Contributor Author

@nbayati nbayati Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a test for a different universe. I'm waiting to hear from the backend team to see if they even accept a rep or if the url has to be global. Depending on the conversation, we can address it in a feature PR to make this feature more future-proof.

sai-sunder-s
sai-sunder-s previously approved these changes Sep 23, 2025
View reviewed changes
lsirac
lsirac previously approved these changes Sep 24, 2025
View reviewed changes
@nbayati nbayati dismissed stale reviews from lsirac and sai-sunder-s via 4556d14 October 2, 2025 01:32
@nbayati nbayati requested a review from a team as a code owner October 2, 2025 01:32
@nbayati nbayati enabled auto-merge (squash) October 6, 2025 19:41
@nbayati nbayati added the owlbot:run Add this label to trigger the Owlbot post processor. label Oct 7, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Oct 7, 2025
@nbayati nbayati merged commit 36ecb1d into googleapis:main Oct 7, 2025
13 checks passed
@release-please release-please bot mentioned this pull request Oct 7, 2025
Merged
This was referenced Oct 15, 2025
Closed
Closed
Closed
Closed
This was referenced Oct 15, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
daniel-sanche pushed a commit that referenced this pull request Oct 28, 2025
@release-please
chore(main): release 2.42.0 (#1819)
2f8826d 
🤖 I have created a release *beep* *boop*
---


##
[2.42.0](v2.41.1...v2.42.0)
(2025-10-24)


### Features

* Add trust boundary support for external accounts.
([#1809](#1809))
([36ecb1d](36ecb1d))


### Bug Fixes

* Read scopes from ADC json for impersoanted cred
([#1820](#1820))
([62c0fc8](62c0fc8))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@Linchin Linchin mentioned this pull request Nov 5, 2025
Closed
This was referenced Nov 20, 2025
Closed
Closed
parthea pushed a commit to googleapis/google-cloud-python that referenced this pull request Nov 26, 2025
@release-please
chore(main): release 2.42.0 (#1819)
ec80b4e 
🤖 I have created a release *beep* *boop*
---


##
[2.42.0](googleapis/google-auth-library-python@v2.41.1...v2.42.0)
(2025-10-24)


### Features

* Add trust boundary support for external accounts.
([#1809](googleapis/google-auth-library-python#1809))
([36ecb1d](googleapis/google-auth-library-python@36ecb1d))


### Bug Fixes

* Read scopes from ADC json for impersoanted cred
([#1820](googleapis/google-auth-library-python#1820))
([62c0fc8](googleapis/google-auth-library-python@62c0fc8))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
@kiraksi kiraksi mentioned this pull request Mar 6, 2024
Draft
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sai-sunder-s sai-sunder-s sai-sunder-s approved these changes

@lsirac lsirac lsirac left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nbayati @sai-sunder-s @lsirac