Skip to content

Allow RAB check to be entirely disabled #17653

Description

@jay0lee

Determine this is the right repository

  • I determined this is the correct repository in which to report this bug.

Summary of the issue

Context
google-auth 2.55+ enable a new additional round trip call to:

https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/allowedLocations

Expected Behavior:
Ability to turn this off for environments using service accounts and not RAB.

Actual Behavior:
The check is always on and cannot be disabled without modifying private functions.

API client name and version

google-auth

Reproduction steps: code

file: main.py

import http.client
import google.auth
from google.auth.transport.requests import AuthorizedSession

http.client.HTTPConnection.debuglevel = 1
credentials, _ = google.auth.default(scopes='https://www.googleapis.com/auth/cloud-platform')
session = AuthorizedSession(credentials)
session.get('https://cloudresourcemanager.googleapis.com/v3/projects')

Reproduction steps: supporting files

Repro requires google-auth 2.55+

Reproduction steps: actual results

Observe: developer sees an unexpected and unnecessary request to:

https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/allowedLocations

and a 4xx/5xx response. This is confusing to developers (what's failing here? Why am I suddenly getting API errors?)

Reproduction steps: expected results

No extra API calls I didn't ask for.

A suitable alternative would be ability to turn these extraneous unwanted API calls off with a public setting rather than this hack:

credentials._is_regional_access_boundary_lookup_required = lambda: False

OS & version + platform

Windows, Linux, macOS

Python environment

3.11+

Python dependencies

None

Additional context

google-auth is used for many projects outside Google Cloud such as Google Workspace, Chrome, etc. Please remember and do testing in these environments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    triage meI really want to be triaged.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions