Skip to content

feat(python-client): Add Google Cloud authentication support#6

Merged
steren merged 1 commit intoGoogleCloudPlatform:mainfrom
wietsevenema:pr-python-auth
Jan 12, 2026
Merged

feat(python-client): Add Google Cloud authentication support#6
steren merged 1 commit intoGoogleCloudPlatform:mainfrom
wietsevenema:pr-python-auth

Conversation

@wietsevenema
Copy link
Collaborator

@wietsevenema wietsevenema commented Jan 8, 2026
edited
Loading

This PR introduces built-in authentication support for the Python client, enabling secure connections to Cloud Run services protected by IAM.

Key Changes

Public API Update

  • Added use_google_auth (bool) parameter to Sandbox.create and Sandbox.attach. When enabled, the client automatically fetches an OIDC ID token.

Authentication Logic

  • Implemented _get_id_token to fetch OIDC tokens automatically.
  • Fallback: Tries Application Default Credentials (ADC) first; falls back to the Metadata Server if DefaultCredentialsError is raised.
  • Audience Derivation: Automatically maps connection hosts to the correct OIDC audience (always using https://).
  • Token Refresh: Automatically fetches a fresh ID token before every reconnection attempt if use_google_auth is enabled.
  • Error Hints: Provides hints for 401/403 errors and appends a link to the official Cloud Run troubleshooting documentation.
  • Logging: Added debug logs to trace audience derivation logic.

Testing & Examples

  • Added comprehensive unit tests in test_sandbox.py verifying the auth flow, mock credential handling, token refreshing, and error hint generation.
  • Updated all Python examples (basic.py, checkpoint.py, etc.) to enable use_google_auth=True by default.

@wietsevenema wietsevenema marked this pull request as draft January 8, 2026 16:28
@steren
Copy link
Collaborator

steren commented Jan 9, 2026

Thanks! lmk when I should review

@wietsevenema wietsevenema force-pushed the pr-python-auth branch 13 times, most recently from 88548c6 to 0e521a7 Compare January 9, 2026 16:42
@wietsevenema wietsevenema requested a review from steren January 9, 2026 16:47
@wietsevenema wietsevenema marked this pull request as ready for review January 9, 2026 16:47
@wietsevenema
Copy link
Collaborator Author

wietsevenema commented Jan 9, 2026

@steren PTAL

@wietsevenema
feat(python-client): Add Google Cloud authentication support
ad77d23 
- Adds 'use_google_auth' parameter to Sandbox.create and Sandbox.attach for automatic OIDC token fetching.

- Integrates google-auth with robust fallback (ADC -> Metadata).

- Simplifies audience derivation to always use 'https://' for OIDC compatibility.

- Implements automatic token refresh during reconnection to handle 1-hour OIDC expiration.

- Centralizes error handling with '_append_error_hint' to provide actionable 401/403 hints and Cloud Run troubleshooting links.

- Updates all examples and tests to match the new signature and logic.

- Updates .gitignore to ignore venv/ and build/.
@steren steren merged commit 23c98b9 into GoogleCloudPlatform:main Jan 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steren steren Awaiting requested review from steren

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wietsevenema @steren