fix: implement dynamic mtls endpoint resolution for secret manager

google-genai-bot · copybara-github · commit 5d4a13f1ce43 · 2026-06-24T12:00:12.000-07:00
Replace hardcoded regional URLs with a helper function that prioritizes `.mtls.`
endpoints when client certificates are present and enabled, fulfilling mTLS/CAA
requirements.

PiperOrigin-RevId: 937477755
diff --git a/src/google/adk/integrations/secret_manager/secret_client.py b/src/google/adk/integrations/secret_manager/secret_client.py
@@ -26,9 +26,17 @@
 from google.oauth2 import service_account
 
 from ... import version
+from ...utils import mtls_utils
 
 USER_AGENT = f"google-adk/{version.__version__}"
 
+_DEFAULT_REGIONAL_ENDPOINT_TEMPLATE = (
+    "secretmanager.{location}.rep.googleapis.com"
+)
+_DEFAULT_MTLS_REGIONAL_ENDPOINT_TEMPLATE = (
+    "secretmanager.{location}.rep.mtls.googleapis.com"
+)
+
 
 class SecretManagerClient:
   """A client for interacting with Google Cloud Secret Manager.
@@ -104,7 +112,11 @@ def __init__(
     client_options = None
     if location:
       client_options = {
-          "api_endpoint": f"secretmanager.{location}.rep.googleapis.com"
+          "api_endpoint": mtls_utils.get_api_endpoint(
+              location,
+              _DEFAULT_REGIONAL_ENDPOINT_TEMPLATE,
+              _DEFAULT_MTLS_REGIONAL_ENDPOINT_TEMPLATE,
+          )
       }
 
     self._client = secretmanager.SecretManagerServiceClient(
diff --git a/tests/unittests/integrations/secret_manager/test_secret_client.py b/tests/unittests/integrations/secret_manager/test_secret_client.py
@@ -123,8 +123,14 @@ def test_init_with_auth_token(self, mock_secret_manager_client):
   @patch(
       "google.adk.integrations.secret_manager.secret_client.default_service_credential"
   )
+  @patch(
+      "google.adk.integrations.secret_manager.secret_client.mtls_utils.get_api_endpoint"
+  )
   def test_init_with_location(
-      self, mock_default_service_credential, mock_secret_manager_client
+      self,
+      mock_get_api_endpoint,
+      mock_default_service_credential,
+      mock_secret_manager_client,
   ):
     """Test initialization with a specific location."""
     # Setup
@@ -134,6 +140,7 @@ def test_init_with_location(
         "test-project",
     )
     location = "us-central1"
+    mock_get_api_endpoint.return_value = "resolved-endpoint"
 
     # Execute
     SecretManagerClient(location=location)
@@ -143,9 +150,14 @@ def test_init_with_location(
     call_kwargs = mock_secret_manager_client.call_args.kwargs
     assert call_kwargs["credentials"] == mock_credentials
     assert call_kwargs["client_options"] == {
-        "api_endpoint": f"secretmanager.{location}.rep.googleapis.com"
+        "api_endpoint": "resolved-endpoint"
     }
     assert call_kwargs["client_info"].user_agent == USER_AGENT
+    mock_get_api_endpoint.assert_called_once_with(
+        location,
+        "secretmanager.{location}.rep.googleapis.com",
+        "secretmanager.{location}.rep.mtls.googleapis.com",
+    )
 
   @patch(
       "google.adk.integrations.secret_manager.secret_client.default_service_credential"
