fpopic opened a new pull request, #68069: URL: https://github.com/apache/airflow/pull/68069
## What Fix HashiCorp Vault GCP authentication when Application Default Credentials come from Compute Engine metadata credentials and initially expose the service account email as \. ## Why In GCE-based environments such as Cloud Composer, \ may start with \ until the credentials are refreshed from the metadata server. The Vault client used that value directly in the IAM \ request, producing an invalid resource name like \. ## How - Resolve GCP service account email through a helper before building the IAM \ request. - Treat missing or \ service account email values as unresolved. - Refresh Compute Engine credentials so the metadata server populates the real service account email. - Preserve key-file behavior by using \ when available. - Add a regression test for the Compute Engine/Composer ADC case. ## Tests \\============================= test session starts ============================== platform darwin -- Python 3.11.8, pytest-9.0.2, pluggy-1.6.0 -- /Users/popicf/Projects/github/fpopic/airflow/.venv/bin/python cachedir: .pytest_cache rootdir: /Users/popicf/Projects/github/fpopic/airflow configfile: pyproject.toml plugins: anyio-4.12.1, unordered-0.7.0, mock-3.15.1, instafail-0.5.0, timeouts-1.2.1, xdist-3.8.0, custom-exit-code-0.3.0, time-machine-3.2.0, icdiff-0.9, asyncio-1.3.0, kgb-7.3, rerunfailures-16.1, requests-mock-1.12.1, cov-7.0.0 asyncio: mode=Mode.STRICT, debug=False, asyncio_default_fixture_loop_scope=function, asyncio_default_test_loop_scope=function setup timeout: 0.0s, execution timeout: 0.0s, teardown timeout: 0.0s collecting ... collected 74 items providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_version_wrong PASSED [ 1%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_custom_mount_point PASSED [ 2%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_version_one_init PASSED [ 4%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_default_session_retry PASSED [ 5%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_approle PASSED [ 6%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_approle_different_auth_mount_point PASSED [ 8%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_approle_missing_role PASSED [ 9%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_aws_iam PASSED [ 10%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_aws_iam_different_auth_mount_point PASSED [ 12%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_aws_iam_different_region PASSED [ 13%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_azure PASSED [ 14%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_azure_different_auth_mount_point PASSED [ 16%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_azure_missing_resource PASSED [ 17%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_azure_missing_tenant_id PASSED [ 18%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_key PASSED [ 20%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_adc PASSED [ 21%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_adc_compute_engine_default_email_refresh PASSED [ 22%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_different_auth_mount_point PASSED [ 24%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_dict PASSED [ 25%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_gcp_error_wrong_type PASSED [ 27%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_github PASSED [ 28%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_github_different_auth_mount_point PASSED [ 29%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_github_missing_token PASSED [ 31%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_kubernetes_default_path PASSED [ 32%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_kubernetes PASSED [ 33%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_kubernetes_different_auth_mount_point PASSED [ 35%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_kubernetes_missing_role PASSED [ 36%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_kubernetes_kubernetes_jwt_path_none PASSED [ 37%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_with_token PASSED [ 39%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_with_token_path PASSED [ 40%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_with_token_strips_whitespace PASSED [ 41%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_different_auth_mount_point PASSED [ 43%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_missing_role PASSED [ 44%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_jwt_missing_token_and_path PASSED [ 45%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_ldap PASSED [ 47%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_ldap_different_auth_mount_point PASSED [ 48%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_radius_missing_host PASSED [ 50%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_radius_missing_secret PASSED [ 51%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_radius PASSED [ 52%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_radius_different_auth_mount_point PASSED [ 54%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_radius_port PASSED [ 55%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_token_missing_token PASSED [ 56%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_token PASSED [ 58%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_token_in_env PASSED [ 59%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_token_path PASSED [ 60%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_token_path_strip PASSED [ 62%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_default_auth_type PASSED [ 63%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_userpass PASSED [ 64%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_userpass_different_auth_mount_point PASSED [ 66%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_non_existing_key_v2 PASSED [ 67%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_non_existing_key_v2_different_auth PASSED [ 68%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_non_existing_key_v1 PASSED [ 70%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v2 PASSED [ 71%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v2_without_preconfigured_mount_point PASSED [ 72%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v2_version PASSED [ 74%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1 PASSED [ 75%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_ssl_verify_false PASSED [ 77%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_trust_private_ca PASSED [ 78%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_with_proxies_applied PASSED [ 79%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_with_client_cert_applied PASSED [ 81%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_without_preconfigured_mount_point PASSED [ 82%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_different_auth_mount_point PASSED [ 83%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_existing_key_v1_version PASSED [ 85%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_secret_metadata_v2 PASSED [ 86%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_secret_metadata_v1 PASSED [ 87%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_secret_including_metadata_v2 PASSED [ 89%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_get_secret_including_metadata_v1 PASSED [ 90%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v2 PASSED [ 91%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v2_method PASSED [ 93%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v2_cas PASSED [ 94%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v1 PASSED [ 95%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v1_cas PASSED [ 97%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_create_or_update_secret_v1_post PASSED [ 98%] providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py::TestVaultClient::test_cached_property_invalidates_on_auth_failure PASSED [100%] ======================== 74 passed, 1 warning in 5.28s =========================\ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
