fix(auth): Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration #1880
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…loud Run mis-configuration
| ) | ||
| key_path = workload["key_path"] | ||
|
|
||
| # == BEGIN Temporary Cloud Run PATCH == |
Collaborator
There was a problem hiding this comment.
Please add a TODO: string somewhere giving some context, and letting us know how and when the patch can be removed. Maybe add a link to this PR or a bug too (is there a tracking bug that will be resolved when this can be removed?
Contributor
Author
There was a problem hiding this comment.
I created a github issue to track this at #1881 and assigned it to myself. Included this in the comments.
daniel-sanche
approved these changes
Dec 4, 2025
vchudnov-g
added a commit
that referenced
this pull request
Dec 15, 2025
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v0.7.0 Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator:latest <details><summary>google-auth: 2.44.0</summary> ## [2.44.0](v2.43.0...v2.44.0) (2025-12-12) ### Features * MDS connections use mTLS (#1856) ([0387bb9](0387bb95)) * support Python 3.14 (#1822) ([0f7097e](0f7097e7)) * add ecdsa p-384 support (#1872) ([39c381a](39c381a5)) * Add shlex to correctly parse executable commands with spaces (#1855) ([cf6fc3c](cf6fc3cc)) * Implement token revocation in STS client and add revoke() metho… (#1849) ([d563898](d5638986)) ### Bug Fixes * Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration (#1880) ([78de790](78de7907)) * Delegate workload cert and key default lookup to helper function (#1877) ([b0993c7](b0993c7e)) * Use public refresh method for source credentials in ImpersonatedCredentials (#1884) ([e0c3296](e0c3296f)) </details>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds a fallback logic to look for Cloud Run cert/keys in the well-known location if the cert config contains the exact incorrect cert/key paths AND the incorrect cert/key paths point to non-existent files.
Note: This patch will be reverted sometime in Jan 2026, after Cloud Run environment is updated with the correct cert configs. The revert will be tracked by #1881