Skip to content

Use runtime ADC for gateway auth secret access#3520

Merged
anth-volk merged 4 commits intomasterfrom
fix/runtime-adc-secret-manager
Apr 27, 2026
Merged

Use runtime ADC for gateway auth secret access#3520
anth-volk merged 4 commits intomasterfrom
fix/runtime-adc-secret-manager

Conversation

@anth-volk
Copy link
Copy Markdown
Collaborator

@anth-volk anth-volk commented Apr 27, 2026
edited
Loading

Fixes #3521

Summary

This changes API v1 to use the App Engine runtime service account for Secret Manager access instead of a baked GOOGLE_APPLICATION_CREDENTIALS file in the deployed image.

It also adds GitHub OIDC Workload Identity Federation support to the repo workflows, with fallback to the existing GCP_SA_KEY path during migration.

Changes

  • stop baking GOOGLE_APPLICATION_CREDENTIALS into the App Engine runtime image
  • stop generating .gac.json for runtime use in the deploy export path
  • make GCP logging lazy so import-time code paths do not require ADC during build/test
  • use metadata-backed ADC in the running service for Secret Manager reads
  • add WIF auth support to push.yml and pr.yml
  • add id-token: write permissions to jobs that authenticate to GCP
  • keep key-based auth as a temporary fallback until the migration is verified

Validation

  • uv run pytest --noconftest tests/unit/libs/test_gateway_auth.py tests/unit/libs/test_simulation_api_modal.py
  • uv run ruff check policyengine_api/gcp_logging.py gcp/export.py
  • verified the WIF provider and repo-wide service-account binding in GCP
  • set repo secrets:
    • GCP_WORKLOAD_IDENTITY_PROVIDER
    • GCP_DEPLOY_SERVICE_ACCOUNT

Follow-up

Once CI/deploy is green on WIF, we should remove fallback use of GCP_SA_KEY and then delete that secret.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 27, 2026

Codecov Report

❌ Patch coverage is 39.28571% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.68%. Comparing base (d07f6d2) to head (939b716).
⚠️ Report is 5 commits behind head on master.

Files with missing lines Patch % Lines
policyengine_api/gcp_logging.py 39.28% 17 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3520      +/-   ##
==========================================
- Coverage   77.00%   76.68%   -0.33%     
==========================================
  Files          63       63              
  Lines        3418     3444      +26     
  Branches      617      620       +3     
==========================================
+ Hits         2632     2641       +9     
- Misses        612      629      +17     
  Partials      174      174

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@anth-volk anth-volk marked this pull request as ready for review April 27, 2026 21:56
@anth-volk anth-volk merged commit 35b4285 into master Apr 27, 2026
5 of 7 checks passed
@anth-volk anth-volk deleted the fix/runtime-adc-secret-manager branch April 27, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use App Engine runtime ADC for gateway auth secret access

1 participant

@anth-volk