feat: Enable Bound Token for Agentic Identities#13169
Conversation
1. POST request to MDS with cert-chain 2. Cert-key matching 3. Included logic to consider the user's choice by looking at GOOGLE_API_USE_CLIENT_CERTIFICATE env variable 4. Bound ID tokens.
There was a problem hiding this comment.
Code Review
This pull request introduces Agent Identity token binding support for Cloud Run, adding the AgentIdentityUtils utility class and updating ComputeEngineCredentials to handle bound token requests. Comprehensive tests and mock updates were also included. Feedback highlights a critical performance regression due to a 30-second retry loop in environments without Agent Identity. Further improvements suggested include using the library's JSON factory for serialization, adopting Paths.get() for file paths, replacing System.out.println with structured logging, and cleaning up unused code.
| for (long sleepInterval : POLLING_INTERVALS) { | ||
| try { | ||
| if (Files.exists(Paths.get(bundlePath))) { | ||
| return bundlePath; | ||
| } | ||
| if (Files.exists(Paths.get(certOnlyPath))) { | ||
| return certOnlyPath; | ||
| } | ||
| } catch (Exception e) { | ||
| // Fall through to retry | ||
| } | ||
| if (!warned) { | ||
| Slf4jUtils.log( | ||
| LOGGER, | ||
| org.slf4j.event.Level.WARN, | ||
| Collections.emptyMap(), | ||
| String.format( | ||
| "Well-known certificate file not found at %s. Retrying for up to %d seconds.", | ||
| wellKnownDir, TOTAL_TIMEOUT_MS / 1000)); | ||
| warned = true; | ||
| } | ||
| try { | ||
| timeService.sleep(sleepInterval); | ||
| } catch (InterruptedException e) { | ||
| Thread.currentThread().interrupt(); | ||
| throw new IOException( | ||
| "Interrupted while waiting for well-known certificate files.", | ||
| e); | ||
| } | ||
| } | ||
| throw new IOException( | ||
| "Unable to find well-known certificate file for bound token request after multiple retries."); |
There was a problem hiding this comment.
This retry loop introduces a 30-second delay and eventually throws an IOException on every token refresh for environments where Agent Identity is not used (e.g., standard GCE instances), as it is enabled by default. This is a significant performance regression and a breaking change for existing users. You should consider checking if the wellKnownDir exists before entering the loop, or only performing the retry if there is an explicit indication that the environment should support bound tokens. Additionally, if the certificates are not found in the well-known path, the library should likely fall back to unbound tokens (return null) instead of throwing an exception, unless explicitly configured otherwise.
This PR introduces a feature which enables the auth library to acquire bound access-tokens and bound id-tokens in Agentic Environments.
We detect certs in default paths and check if they match the SPIFFE format for agents.
If 1. is a yes then we call the MDS endpoint in a POST request with the certificate in the body.