Skip to content

Make GCP SA token refresh non-blocking with warning on failure#1330

Merged
hectorcast-db merged 1 commit intomainfrom
hectorcast-db/stack/gcp-auth
Mar 13, 2026
Merged

Make GCP SA token refresh non-blocking with warning on failure#1330
hectorcast-db merged 1 commit intomainfrom
hectorcast-db/stack/gcp-auth

Conversation

@hectorcast-db
Copy link
Contributor

@hectorcast-db hectorcast-db commented Mar 13, 2026
edited
Loading

Summary

  • Removes the ClientType.ACCOUNT guard on GCP SA access token refresh in both google_credentials and google_id credential providers
  • Always attempts to refresh the GCP SA access token, but catches failures with a warning log instead of blocking authentication
  • Users who lack permissions to mint the GCP SA access token will no longer fail auth entirely

Test plan

  • Added test_google_credentials_includes_sa_token_on_success — verifies SA token header is included when refresh succeeds
  • Added test_google_credentials_warns_on_sa_token_failure — verifies warning is logged and SA token header is omitted on failure
  • Added test_google_id_includes_sa_token_on_success — verifies SA token header is included when refresh succeeds
  • Added test_google_id_warns_on_sa_token_failure — verifies warning is logged and SA token header is omitted on failure
  • Run all our tests passing always a (potentially dummy) SA header: [do not merge] Test GCP header in workspace #1328

This pull request was AI-assisted by Isaac.

NO_CHANGELOG=true

@hectorcast-db
Make GCP SA token refresh non-blocking with warning on failure
380726e 
Previously, the GCP SA access token refresh was gated on
ClientType.ACCOUNT. Now it always attempts the refresh but catches
failures with a warning, since users may not have permissions to mint
the SA token and this should not block authentication.

Co-authored-by: Isaac
@github-actions
Copy link

github-actions bot commented Mar 13, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-py

Inputs:

  • PR number: 1330
  • Commit SHA: 380726e3499d6deaf65eaf2b72523864ab355aa0

Checks will be approved automatically on success.

@hectorcast-db hectorcast-db requested review from tanmay-db and tejaskochar-db and removed request for tanmay-db March 13, 2026 08:42
tejaskochar-db
tejaskochar-db approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@tejaskochar-db tejaskochar-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hectorcast-db hectorcast-db enabled auto-merge March 13, 2026 08:54
@hectorcast-db hectorcast-db added this pull request to the merge queue Mar 13, 2026
Merged via the queue into main with commit cbcaf00 Mar 13, 2026
17 of 19 checks passed
@hectorcast-db hectorcast-db deleted the hectorcast-db/stack/gcp-auth branch March 13, 2026 09:15
@hectorcast-db hectorcast-db mentioned this pull request Mar 16, 2026
Merged
github-merge-queue bot pushed a commit to databricks/databricks-sdk-go that referenced this pull request Mar 17, 2026
@hectorcast-db
Make GCP SA token refresh non-blocking with warning on failure (#1544)
146612b 
## 🥞 Stacked PR
Use this
[link](https://github.com/databricks/databricks-sdk-go/pull/1544/files)
to review incremental changes.
-
[**stack/port/gcp-sa-token-non-blocking**](#1544)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files)]
-
[stack/port/test-environment-type](#1545)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/bd038478c97820339e8964bfd74457dabfa945ad..2be31bf5c15ab0d33857e90e8504425f34489d63)]
-
[stack/port/host-metadata-integration-test](#1546)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/2be31bf5c15ab0d33857e90e8504425f34489d63..b950d35820b3aefac7f9f3d12c837ddf5836ed80)]
-
[stack/port/remove-unified-flag](#1547)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/b950d35820b3aefac7f9f3d12c837ddf5836ed80..221415789356aa846dfb0f346d690b67bd5c2aa4)]
-
[stack/port/gcp-sa-from-metadata](#1548)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/221415789356aa846dfb0f346d690b67bd5c2aa4..8130b1f2566f65af5c40439ba1063b7f5f477835)]

---------
## Summary
- Port of Python SDK PR
databricks/databricks-sdk-py#1330
- Add `serviceToServiceVisitorWithFallback()` that logs a warning and
skips the secondary header when the SA token source fails, instead of
returning an error
- `GoogleDefaultCredentials` now always attempts to create an SA token
source regardless of config type, falling back gracefully on failure
- `GoogleCredentials` also uses the fallback visitor

## Test plan
- `TestServiceToServiceVisitorWithFallback_BothSucceed`
- `TestServiceToServiceVisitorWithFallback_SecondaryFails_SkipsHeader`
- `TestServiceToServiceVisitorWithFallback_PrimaryFails_ReturnsError`

NO_CHANGELOG=true

This pull request was AI-assisted by Isaac.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tejaskochar-db tejaskochar-db tejaskochar-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hectorcast-db @tejaskochar-db