fix(gcp): ignore ADC errors when explicit credentials are provided #531
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, GoogleCloudStorageBuilder unconditionally attempted to read Application Default Credentials (ADC), causing build failures when ADC files existed in unsupported formats (e.g., external_account_authorized_user), even when explicit credentials were provided via with_service_account_path(), with_service_account_key(), or with_credentials(). This change makes ADC reading conditional: - When explicit credentials are provided, ADC reading errors are ignored - When no explicit credentials exist, ADC errors are propagated normally This preserves error visibility for users relying on ADC while allowing users with explicit credentials to work regardless of ADC state. The credential precedence remains: explicit credentials > ADC > instance metadata Tests added: - Verify explicit service account path ignores invalid ADC - Verify explicit service account key ignores invalid ADC - Verify custom credentials provider ignores invalid ADC - Verify ADC errors still propagate when no explicit credentials provided
crepererum
reviewed
Nov 6, 2025
src/gcp/builder.rs
Outdated
| } else { | ||
| // We have explicit credentials, so ignore ADC errors | ||
| ApplicationDefaultCredentials::read(self.application_credentials_path.as_deref()) | ||
| .unwrap_or(None) |
Contributor
There was a problem hiding this comment.
If we have credentials, then why do we attempt to call ApplicationDefaultCredentials::read at all? Can we not just skip it in this case?
Author
There was a problem hiding this comment.
Good catch! You're absolutely right - there's no need to attempt reading ADC at all when explicit credentials are already provided.
I've updated the code to skip the ADC read entirely in that case, changing:
} else {
ApplicationDefaultCredentials::read(self.application_credentials_path.as_deref())
.unwrap_or(None)
}to:
} else {
// Explicit credentials provided, skip ADC reading entirely
None
}This is cleaner, more efficient (no unnecessary file I/O)
Per reviewer feedback, avoid unnecessary file I/O by returning None directly instead of attempting to read ADC and discarding errors.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes an issue where
GoogleCloudStorageBuilderwould fail to build when Application Default Credentials (ADC) exist in an unsupported format, even when explicit credentials are provided viawith_service_account_path(),with_service_account_key(), orwith_credentials().Problem
Previously,
GoogleCloudStorageBuilder::build()unconditionally attempted to read ADC files and would fail immediately if the ADC format was unsupported (e.g.,external_account_authorized_userfrom Workload Identity Federation with external identity providers). This prevented users from using explicit credentials in environments where ADC was configured with newer credential types.Solution
This PR makes ADC reading conditional:
The credential precedence remains unchanged: explicit credentials > ADC > instance metadata
Changes
src/gcp/builder.rs:495-503to conditionally handle ADC reading errors based on whether explicit credentials were providedTesting
All tests pass (113 passed, 0 failed):
Impact
This change enables users in enterprise environments with Workload Identity Federation to use explicit credentials without being blocked by unsupported ADC formats, while maintaining backward compatibility and error visibility for ADC-only users.