Skip to content

google-auth: Fix static module-level IAM endpoints and propagate mTLS certificates to internal helper sessions #17282

Open
Open
google-auth: Fix static module-level IAM endpoints and propagate mTLS certificates to internal helper sessions#17282
Labels
type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@nbayati

Description

@nbayati
nbayati
opened on May 28, 2026

Summary of the Issue

The current mTLS implementation for IAM Credentials API endpoints in google-auth is broken due to two distinct, related issues:

  1. Static import-time endpoint configuration: The library determines whether to use mTLS endpoints (e.g., iamcredentials.mtls.googleapis.com) once on module import. This prevents late-binding of certificates or runtime credential transitions from executing over the secure domain.
  2. Unconfigured internal helper transport: The actual HTTP transport adapter passed to internal IAM requests is an unconfigured helper session that lacks the mTLS client certificate, causing connection failures or silent security fallbacks to standard one-way TLS.

Part 1: Static Domain Evaluation at Import Time

In google/auth/iam.py, the domain hostname _IAM_DOMAIN is evaluated globally during import:

# google/auth/iam.py
if (
    hasattr(_mtls_helper, "check_use_client_cert")
    and _mtls_helper.check_use_client_cert()
):
    _IAM_DOMAIN = f"iamcredentials.mtls.{credentials.DEFAULT_UNIVERSE_DOMAIN}"
else:
    _IAM_DOMAIN = f"iamcredentials.{credentials.DEFAULT_UNIVERSE_DOMAIN}"

_IAM_BASE_URL = f"https://{_IAM_DOMAIN}/v1/projects/-/serviceAccounts/{{}}"

Evaluating this hostname statically at initial module load breaks two major flows:

  • Late configuration bootstraps: Programmatic environment updates (e.g., setting os.environ["GOOGLE_API_USE_CLIENT_CERTIFICATE"] = "true") or dynamically mounting certificate configurations after import statements run are completely ignored.
  • Runtime identity transitions: When identities transition at runtime (e.g., from standard service accounts to federated workload identities), the client cannot dynamically adapt its destination endpoints to match the certificate state.

Proposed Solution for Part 1:

Refactor google/auth/iam.py to resolve these endpoints dynamically per call (utilizing caching via @functools.lru_cache or similar helper strategies to prevent excessive lookup overhead).
In addition, no unit tests were added when the change to support mtls endpoints was added. Unit tests must be added to cover that the right endpoint is being triggered.

Part 2: Unconfigured Internal Helper Transport

Even if the IAM endpoints are resolved dynamically at runtime, requests to iamcredentials.mtls.googleapis.com will still fail to establish a valid mutual-TLS channel.

When a user calls configure_mtls_channel() on AuthorizedSession (in requests.py) or AuthorizedHttp (in urllib3.py), the client certificates are only mounted onto the outer client session:

# google/auth/transport/requests.py -> configure_mtls_channel()
if self._is_mtls:
    mtls_adapter = _MutualTlsAdapter(cert, key)
    self.mount("https://", mtls_adapter)

However, the credentials class delegates token refreshing and internal IAM requests (such as signBlob or generateAccessToken) to a separate internal helper session (self._auth_request_session wrapped by self._auth_request) to avoid infinite recursion:

# google/auth/transport/requests.py -> __init__()
if auth_request is None:
    self._auth_request_session = requests.Session()
    auth_request = Request(self._auth_request_session)

This internal helper session is never updated with the client certificate. When iam.py or impersonated_credentials.py dispatches a signing request, it utilizes this unconfigured internal transport:

# google/auth/iam.py -> _make_signing_request()
self._credentials.before_request(self._request, method, url, headers)
response = self._request(url=url, method=method, body=body, headers=headers)

Because the internal transport lacks the client certificate:

  • If GFE allows optional client certificates, the TLS handshake succeeds but silently falls back to standard one-way TLS, bypassing the security properties of mTLS.
  • If strict Certificate-Based Access (CBA) policies are enforced, the connection is blocked, resulting in runtime outages.

Proposed Solution for Part 2:

Ensure the client certificate configuration propagates to the inner helper transport during channel setup.

For Requests (google/auth/transport/requests.py):

if self._is_mtls:
    mtls_adapter = _MutualTlsAdapter(cert, key)
    self.mount("https://", mtls_adapter)
    if self._auth_request_session is not None:
        self._auth_request_session.mount("https://", mtls_adapter)

For Urllib3 (google/auth/transport/urllib3.py):

if found_cert_key:
    self.http = _make_mutual_tls_http(cert, key)
    self._request = Request(self.http)

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions