Use runtime ADC for gateway auth secret access

.github/workflows/pr.yml

@@ -52,6 +52,9 @@ jobs:
   test_env_vars:
     name: Test environment variables
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -62,7 +65,8 @@ jobs:
       - name: Auth
         uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_DEPLOY_SERVICE_ACCOUNT }}
       - name: Wait until policyengine_us version is available on PyPI
         run: .github/wait-for-pypi.sh
       - name: Install dependencies
@@ -77,6 +81,9 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     needs: test_env_vars
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -91,7 +98,8 @@ jobs:
       - name: Auth
         uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_DEPLOY_SERVICE_ACCOUNT }}
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v2
         with:

.github/workflows/push.yml

@@ -115,6 +115,9 @@ jobs:
       (github.repository == 'PolicyEngine/policyengine-api')
       && (github.event.head_commit.message == 'Update PolicyEngine API')
     environment: staging
+    permissions:
+      contents: read
+      id-token: write
     outputs:
       version: ${{ steps.version.outputs.version }}
       url: ${{ steps.version_url.outputs.url }}
@@ -132,7 +135,8 @@ jobs:
       - name: GCP authentication
         uses: "google-github-actions/auth@v2"
         with:
-          credentials_json: "${{ secrets.GCP_SA_KEY }}"
+          workload_identity_provider: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
+          service_account: "${{ secrets.GCP_DEPLOY_SERVICE_ACCOUNT }}"
       - name: Set up GCloud
         uses: "google-github-actions/setup-gcloud@v2"
       - name: Validate App Engine deployment configuration
@@ -149,7 +153,6 @@ jobs:
           APP_ENGINE_VERSION: ${{ steps.version.outputs.version }}
           APP_ENGINE_PROMOTE: "0"
           POLICYENGINE_DB_PASSWORD: ${{ secrets.POLICYENGINE_DB_PASSWORD }}
-          GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_SA_KEY }}
           POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
@@ -225,6 +228,9 @@ jobs:
       (github.repository == 'PolicyEngine/policyengine-api')
       && (github.event.head_commit.message == 'Update PolicyEngine API')
     environment: production
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -239,7 +245,8 @@ jobs:
       - name: GCP authentication
         uses: "google-github-actions/auth@v2"
         with:
-          credentials_json: "${{ secrets.GCP_SA_KEY }}"
+          workload_identity_provider: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
+          service_account: "${{ secrets.GCP_DEPLOY_SERVICE_ACCOUNT }}"
       - name: Set up GCloud
         uses: "google-github-actions/setup-gcloud@v2"
       - name: Validate App Engine deployment configuration
@@ -256,7 +263,6 @@ jobs:
           APP_ENGINE_VERSION: ${{ steps.version.outputs.version }}
           APP_ENGINE_PROMOTE: "0"
           POLICYENGINE_DB_PASSWORD: ${{ secrets.POLICYENGINE_DB_PASSWORD }}
-          GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_SA_KEY }}
           POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

Makefile

@@ -23,10 +23,9 @@ deploy:
 	gcloud config set app/cloud_build_timeout 2400
 	cp gcp/policyengine_api/* .
 	y | gcloud app deploy --service-account=github-deployment@policyengine-api.iam.gserviceaccount.com
-	rm app.yaml
-	rm Dockerfile
-	rm .gac.json
-	rm .dbpw
+	rm -f app.yaml
+	rm -f Dockerfile
+	rm -f .dbpw
 
 changelog:
 	python .github/bump_version.py

changelog.d/runtime-adc-secret-manager.fixed.md

@@ -0,0 +1 @@
+Stop baking Google application credentials into the App Engine runtime image so Secret Manager access uses the attached runtime service account.

gcp/export.py

@@ -1,14 +1,5 @@
 import os
-from pathlib import Path
 
-GAE = os.environ["GOOGLE_APPLICATION_CREDENTIALS"]
-# If it's a filepath, read the file. Otherwise, it'll be JSON
-try:
-    Path(GAE).resolve(strict=True)
-    with open(GAE, "r") as f:
-        GAE = f.read()
-except Exception:
-    pass
 DB_PD = os.environ["POLICYENGINE_DB_PASSWORD"]
 GITHUB_MICRODATA_TOKEN = os.environ["POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN"]
 ANTHROPIC_API_KEY = os.environ["ANTHROPIC_API_KEY"]
@@ -20,10 +11,7 @@
 GATEWAY_AUTH_CLIENT_ID = os.environ["GATEWAY_AUTH_CLIENT_ID"]
 GATEWAY_AUTH_CLIENT_SECRET_RESOURCE = os.environ["GATEWAY_AUTH_CLIENT_SECRET_RESOURCE"]
 
-# Export GAE to to .gac.json and DB_PD to .dbpw in the current directory
-
-with open(".gac.json", "w") as f:
-    f.write(GAE)
+# Export DB_PD to .dbpw in the current directory
 
 with open(".dbpw", "w") as f:
     f.write(DB_PD)

gcp/policyengine_api/Dockerfile

@@ -2,7 +2,6 @@ FROM python:3.11
 
 RUN apt-get update && apt-get install -y build-essential redis-server && rm -rf /var/lib/apt/lists/*
 
-ENV GOOGLE_APPLICATION_CREDENTIALS .gac.json
 ENV POLICYENGINE_DB_PASSWORD .dbpw
 ENV POLICYENGINE_GITHUB_MICRODATA_AUTH_TOKEN .github_microdata_token
 ENV ANTHROPIC_API_KEY .anthropic_api_key

policyengine_api/gcp_logging.py

@@ -1,3 +1,44 @@
-from google.cloud.logging import Client
+import logging
+from typing import Optional
 
-logger = Client().logger("policyengine-api")
+
+class _LazyGoogleLogger:
+    """Lazily initialize Google Cloud Logging and fall back to stderr."""
+
+    def __init__(self, logger_name: str):
+        self._logger_name = logger_name
+        self._google_logger = None
+        self._initialization_failed = False
+        self._fallback_logger = logging.getLogger(logger_name)
+
+    def _get_google_logger(self):
+        if self._google_logger is not None:
+            return self._google_logger
+        if self._initialization_failed:
+            return None
+        try:
+            from google.cloud.logging import Client
+
+            self._google_logger = Client().logger(self._logger_name)
+            return self._google_logger
+        except Exception:
+            self._initialization_failed = True
+            return None
+
+    def log_struct(
+        self,
+        info: dict,
+        severity: str = "INFO",
+        *,
+        labels: Optional[dict] = None,
+    ) -> None:
+        google_logger = self._get_google_logger()
+        if google_logger is not None:
+            google_logger.log_struct(info, severity=severity, labels=labels)
+            return
+
+        level = getattr(logging, severity.upper(), logging.INFO)
+        self._fallback_logger.log(level, "%s", info)
+
+
+logger = _LazyGoogleLogger("policyengine-api")