Skip to content

feat: Auto enable mTLS when supported certificates are detected #1637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
daniel-sanche merged 5 commits into from
Dec 8, 2025
Merged

feat: Auto enable mTLS when supported certificates are detected #1637

daniel-sanche merged 5 commits into from
Dec 8, 2025
+268 −50

Conversation

@agrawalradhika-cell
Copy link
Contributor

@agrawalradhika-cell agrawalradhika-cell commented Dec 4, 2025

The Python SDK will use a hybrid approach for mTLS enablement:

If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set (either true or false or any value), the SDK will respect that setting. This is necessary for test scenarios and users who need to explicitly control mTLS behavior.
If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not set, the SDK will automatically enable mTLS only if it detects Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources. In other cases where the variable is not set, mTLS will remain disabled.

@agrawalradhika-cell agrawalradhika-cell requested review from a team as code owners December 4, 2025 10:27
@product-auto-label product-auto-label bot added size: m Pull request size is medium. api: storage Issues related to the googleapis/python-storage API. labels Dec 4, 2025
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 4, 2025

Summary of Changes

Hello @agrawalradhika-cell, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Google Cloud Python SDK's handling of mutual TLS (mTLS) by introducing a more sophisticated and adaptive enablement mechanism. It prioritizes explicit user control through an environment variable while also enabling mTLS automatically in secure environments where specific certificate sources are detected. This change aims to improve security posture by default for supported authentication methods without requiring manual configuration, while maintaining flexibility for users who need precise control.

Highlights

  • Hybrid mTLS Enablement: Implements a new hybrid strategy for enabling mutual TLS (mTLS) in the Python SDK, balancing explicit user control with automatic detection.
  • Environment Variable Priority: The GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable now explicitly controls mTLS behavior if it is set (to any value).
  • Automatic Detection: If the environment variable is not set, mTLS is automatically enabled only when Managed Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF) certificate sources are detected.
  • Default Disabled: mTLS remains disabled by default if the environment variable is not set and no supported certificate sources are found.
  • Refactored Logic: Introduced a new static method _use_client_cert_effective to centralize the mTLS enablement decision logic, leveraging google-auth's should_use_client_cert for automatic detection.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces logic to automatically enable mTLS when supported certificates are detected, falling back to environment variables for older google-auth versions. The changes are mostly good refactorings to centralize this logic. However, I found a critical bug in google/cloud/storage/client.py where a module is used without being imported, which will lead to a NameError. I've suggested a fix for the import and also a refactoring to simplify some duplicated code in the same file.

@chandra-siri
Copy link
Collaborator

chandra-siri commented Dec 4, 2025

kokoro failure should be fixed once this is merged - #1635

@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Dec 5, 2025
daniel-sanche
daniel-sanche requested changes Dec 5, 2025
View reviewed changes
daniel-sanche
daniel-sanche approved these changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@daniel-sanche daniel-sanche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can ignore my comments on the auto-generated code, those should have been left in the gapic-generator PR

Hand-wrritten changes LGTM

@Linchin Linchin self-requested a review December 5, 2025 21:15
@daniel-sanche daniel-sanche added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 5, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 5, 2025
@daniel-sanche daniel-sanche added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 8, 2025
@daniel-sanche daniel-sanche enabled auto-merge (squash) December 8, 2025 18:38
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Dec 8, 2025
@daniel-sanche daniel-sanche merged commit 4e91c54 into googleapis:main Dec 8, 2025
14 checks passed
@release-please release-please bot mentioned this pull request Dec 8, 2025
Merged
chandra-siri added a commit that referenced this pull request Dec 9, 2025
@release-please @chandra-siri
chore(main): release 3.7.0 (#1621)
89a947a 
🤖 I have created a release *beep* *boop*
---


##
[3.7.0](v3.6.0...v3.7.0)
(2025-12-09)


### Features

* Auto enable mTLS when supported certificates are detected
([#1637](#1637))
([4e91c54](4e91c54))
* Send entire object checksum in the final api call of resumable upload
([#1654](#1654))
([ddce7e5](ddce7e5))
* Support urllib3 &gt;= 2.6.0
([#1658](#1658))
([57405e9](57405e9))


### Bug Fixes

* **bucket:** Move blob fails when the new blob name contains characters
that need to be url encoded
([#1605](#1605))
([ec470a2](ec470a2))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Chandra Shekhar Sirimala <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-sanche daniel-sanche daniel-sanche approved these changes

@Linchin Linchin Linchin approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@chandra-siri chandra-siri

Labels

api: storage Issues related to the googleapis/python-storage API. size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@agrawalradhika-cell @chandra-siri @daniel-sanche @Linchin @yoshi-kokoro