Skip to content

feat: add support for specifying separate credentials for authenticating with DB#510

Merged
rhatgadkar-goog merged 8 commits into
mainfrom
issue501
Jan 8, 2026
Merged

feat: add support for specifying separate credentials for authenticating with DB#510
rhatgadkar-goog merged 8 commits into
mainfrom
issue501

Conversation

@rhatgadkar-goog

@rhatgadkar-goog rhatgadkar-goog commented Dec 29, 2025

Copy link
Copy Markdown
Collaborator

This PR does the following:

  • When authenticating with the DB, the alloydb.login scope is used instead of the cloud-platform scope. Authentication with the AlloyDB Admin API continues to use the cloud-platform scope.
  • The user can specify separate credentials, with the db_credentials argument passed into the Connector() and AsyncConnector(). When specified, only the db_credentials will be used to authenticate with the DB. If not specified, the existing behavior is preserved with credentials being used to authenticate with the DB.

Fixes #501

@rhatgadkar-goog rhatgadkar-goog linked an issue Dec 29, 2025 that may be closed by this pull request
@rhatgadkar-goog rhatgadkar-goog marked this pull request as ready for review December 29, 2025 18:49
@rhatgadkar-goog rhatgadkar-goog requested a review from a team as a code owner December 29, 2025 18:49
@rhatgadkar-goog rhatgadkar-goog changed the title feat: use only alloydb.login scope for IAM authentication chore: use only alloydb.login scope for IAM authentication Dec 29, 2025
@rhatgadkar-goog rhatgadkar-goog changed the title chore: use only alloydb.login scope for IAM authentication fix: use only alloydb.login scope for IAM authentication Dec 29, 2025
@rhatgadkar-goog rhatgadkar-goog changed the title fix: use only alloydb.login scope for IAM authentication chore: use only alloydb.login scope for IAM authentication Dec 29, 2025

@enocom enocom left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll want to retain the cloud-platform scope for all AlloyDB API interactions. We'll want a separate set of credentials for the metadata exchange and IAM auth that are scoped to just login. This way API interactions continue with the cloud platform scope, but any login tokens only have the login scope attached. We can talk more about this elsewhere if you like.

These credentials use `alloydb.login` scope and are specified by the
`db_credentials` argument in `Connector()` and `AsyncConnector()`. The
`credentials` argument continues to use the `cloud-platform` scope and
is now only used for authenticating with the AlloyDB Admin API.
@rhatgadkar-goog rhatgadkar-goog changed the title chore: use only alloydb.login scope for IAM authentication feat: add separate credentials for authenticating with DB Jan 7, 2026
@rhatgadkar-goog rhatgadkar-goog requested a review from enocom January 7, 2026 02:07
@rhatgadkar-goog

Copy link
Copy Markdown
Collaborator Author

We'll want to retain the cloud-platform scope for all AlloyDB API interactions. We'll want a separate set of credentials for the metadata exchange and IAM auth that are scoped to just login. This way API interactions continue with the cloud platform scope, but any login tokens only have the login scope attached. We can talk more about this elsewhere if you like.

Done. I addressed this

@rhatgadkar-goog rhatgadkar-goog changed the title feat: add separate credentials for authenticating with DB feat: add support for specifying separate credentials for authenticating with DB Jan 7, 2026

@enocom enocom left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small nits. Big picture LGTM.

request = google.auth.transport.requests.Request()
self._credentials.refresh(request)
return self._credentials.token
self._db_credentials.refresh(request)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a separate PR, we should fix this refresh to happen in a thread. When I sent #508, I did not relize we had this in a separate spot.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. This is the PR: #512

self._credentials, _ = google.auth.default(scopes=scopes)
# initialize credentials for authenticating with the DB
scopes = ["https://www.googleapis.com/auth/alloydb.login"]
if db_credentials:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the client has provided db_credentials, I think we don't need to change the scope. We can advice them in the docs that this should be scoped to the alloydb.login scope. Otherwise, I think we're OK to accept the credentials as is.

Only in the case below where we don't have a db_credentials do we want to ensure that we're limited to just the login scope.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

db_credentials (google.auth.credentials.Credentials):
A credentials object created from the google-auth Python library.
If not specified, the credentials used for authenticating with the
AlloyDB Admin API will also be used to authenticate with the DB.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add something like: This is only used when Auto IAM AuthN is enabled.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our async connector still doesn't use the metadata exchange, so here the db_credentials only get used when IAM AuthN is on. Below with the synchronous connector, the documentation you have written is perfectly fine.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

enocom
enocom previously approved these changes Jan 7, 2026
@rhatgadkar-goog rhatgadkar-goog merged commit 4d6a958 into main Jan 8, 2026
16 checks passed
@rhatgadkar-goog rhatgadkar-goog deleted the issue501 branch January 8, 2026 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scope token used by IAM Authn to just alloydb.login.

2 participants