Skip to content

fix(auth): allowlist agents-nonprod trust domains for agent identity#17155

Merged
nbayati merged 2 commits into
googleapis:mainfrom
nbayati:allow-nonprod-agent-identity
May 15, 2026
Merged

fix(auth): allowlist agents-nonprod trust domains for agent identity#17155
nbayati merged 2 commits into
googleapis:mainfrom
nbayati:allow-nonprod-agent-identity

Conversation

@nbayati
Copy link
Copy Markdown
Contributor

@nbayati nbayati commented May 15, 2026

Allow agents-nonprod SPIFFE trust domains (agents-nonprod.global.org-<id>.system.id.goog and agents-nonprod.global.proj-<id>.system.id.goog) in addition to the production agents ones. This enables support for Agent Identity testing and validation in non-production environments (e.g., GKE autopush, staging), resolving pool format validation failures for non-prod agent pools.

Bug: b/513574981

@nbayati
fix(auth): allowlist agents-nonprod trust domains for agent identity
a7d4687 
Allow `agents-nonprod` SPIFFE trust domains (`agents-nonprod.global.org-<id>.system.id.goog` and `agents-nonprod.global.proj-<id>.system.id.goog`) in addition to the production `agents` ones.
This enables support for Agent Identity testing and validation in non-production environments (e.g., GKE autopush, staging), resolving pool format validation failures for non-prod agent pools.

Bug: b/513574981
@nbayati nbayati requested review from a team as code owners May 15, 2026 17:04
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the agent identity utilities to include support for non-production SPIFFE trust domain patterns. Specifically, it adds regex patterns for agents-nonprod global organizations and projects to the allowed trust domains. The changes also include import refactoring for better organization and an update to the test suite to validate these new patterns using a parameterized test case. There are no review comments to evaluate, and I have no feedback to provide.

@nbayati nbayati enabled auto-merge (squash) May 15, 2026 17:23
@nbayati nbayati merged commit 44c93d2 into googleapis:main May 15, 2026
31 checks passed
This was referenced May 15, 2026
Closed
Merged
suztomo added a commit that referenced this pull request May 15, 2026
@suztomo
chore: librarian release pull request: 20260515T192321Z (#17158)
817b199 
PR created by the Librarian CLI to initialize a release. Merging this PR
will auto trigger a release.

Librarian Version: v0.13.0
Language Image:
us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:234b9d1f2ddb057ed7ac6a38db0bf8163d839c65c6cf88ade52530cddebce59e
<details><summary>google-auth: v2.53.0</summary>

##
[v2.53.0](suztomo/google-cloud-python@google-auth-v2.52.0...google-auth-v2.53.0)
(2026-05-15)

### Bug Fixes

* allowlist agents-nonprod trust domains for agent identity (#17155)
([44c93d2](suztomo@44c93d2e))

* fail-fast on invalid or non-workload certificate configs in agent
identity discovery (#17116)
([f27a546](suztomo@f27a5461))

</details>

b/513591686
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macastelaz macastelaz macastelaz approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nbayati @macastelaz