feat(auth): Add support for Regional Access Boundaries#13499
Merged
vverman merged 5 commits intoJun 22, 2026
Conversation
googleapis#12787) Migrates RAB changes from the older repo -> https://github.com/googleapis/google-auth-library-java/tree/feat-tb-sa
…gleapis#12867) 1. The RAB refresh uses a direct executor with a fixed thread pool as opposed to instantiating a new thread each time. 2. The RAB env gate -> GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT has been removed. This means RAB refresh triggers by default. 3. Added other fixes/suggestions made in the previous Java [PR](googleapis/google-auth-library-java#1880).
…oogleapis#13331) In ComputeEngineCredentials when running on GKE platform, the getAccount() call may return a value which isn't an email. In this case the right behaviour is to skip RAB lookup which is what this PR does. Added tests.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces support for Regional Access Boundaries (RAB) across various Google credential types by implementing the RegionalAccessBoundaryProvider interface and managing the lifecycle of boundaries via a new RegionalAccessBoundaryManager. The feedback highlights a few critical improvement opportunities: adding null checks for getAudience() in both ExternalAccountAuthorizedUserCredentials and ExternalAccountCredentials to prevent potential NullPointerExceptions, and performing a defensive copy of the locations list in the RegionalAccessBoundary constructor to guarantee the class's immutability.
lqiu96
changed the title
lqiu96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
lqiu96
approved these changes
Jun 22, 2026
lqiu96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
Member
|
Error: Test failure looks to be irrelevant to the feature. We can merge without the Graalvm checks passing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Regional Access Boundaries PR to main. Contains all the changes merged to the feature branch rebased on top of main.
P.S. Opening the PR directly to main as feature branch regional-access-boundaries has drifted from main and opening a rebased-PR to the feature branch shows 5k+ lines of code diff.