Replace CloudScoped with ValidatingStrategy for credential chain filtering#1516
Open
hectorcast-db wants to merge 3 commits intomainfrom
Open
Replace CloudScoped with ValidatingStrategy for credential chain filtering#1516hectorcast-db wants to merge 3 commits intomainfrom
hectorcast-db wants to merge 3 commits intomainfrom
Conversation
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
requested changes
Mar 5, 2026
Contributor
renaudhartert-db
left a comment
renaudhartert-db
left a comment
There was a problem hiding this comment.
It is weird to me that the requirements are not owned by the CredentialsStrategy as one will have to understand the internals of the strategy to be able to decide what requirements to apply. Also, every client (e.g. CLI) who build on top of this will have to re-implement the requirement mapping.
Could we think of an alternative design?
hectorcast-db
force-pushed
the
restore-credentials-chain-interface
branch
from
15f8bb0 to
d3d7ee5
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
changed the title
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
force-pushed
the
restore-credentials-chain-interface
branch
from
d3d7ee5 to
0db3876
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
…CloudRequirements PR #1505 changed NewCredentialsChain to return *credentialsChain (unexported) to enable WithCloudRequirements chaining. This broke the public API. Restore the return type to CredentialsStrategy and introduce NewCredentialsChainWithCloudRequirements for callers that need cloud-based filtering. DefaultCredentials now uses the new constructor directly. The WithCloudRequirements method is removed as it is no longer needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Hector Castejon Diaz <hector.castejon@databricks.com>
hectorcast-db
force-pushed
the
restore-credentials-chain-interface
branch
from
0db3876 to
231965e
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
config/auth_default.go
Outdated
| if requiredCloud, ok := c.cloudRequirements[s.Name()]; ok { | ||
| if cfg.Environment().Cloud != requiredCloud { | ||
| logger.Debugf(ctx, "Skipping %q: not configured for %s", s.Name(), requiredCloud) | ||
| if cs, ok := s.(CloudScoped); ok { |
Contributor
There was a problem hiding this comment.
Do you foresee any reason to generalize this beyond cloud checking?
Contributor
Author
There was a problem hiding this comment.
Only if we decide to do a full rewrite and align the 3 SDKs. Then we may want to completely change the logic not use nil, nil / nil, error when it does not apply and use explicit functions like this one.
But that would be a big behavioral breaking change, so I don't think redoing this interface would be much of a big deal.
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
hectorcast-db
changed the title
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Replaces the
CloudScopedinterface (introduced in #1505 follow-up) with a more expressiveValidatingStrategyinterface, and restoresNewCredentialsChainto returnCredentialsStrategy.New interface
Chain behavior
Validatereturns any error, the strategy is skipped (logged at debug level). This covers both cloud mismatches and missing required fields.auth_type:ErrInvalidCloudis ignored so users can force a cloud-specific strategy on any host (e.g.azure-clion a GCP host). Any other validation error is propagated so misconfigured strategies fail fast with a clear message.Per-strategy
ValidatemethodsEach Azure and GCP strategy (
AzureCliCredentials,AzureMsiCredentials,AzureClientSecretCredentials,AzureGithubOIDCCredentials,GoogleCredentials,GoogleDefaultCredentials) now implementsValidatewith:"azure_client_id is required","google_service_account is not set")ErrInvalidCloudif the host's cloud doesn't match; placed last because it is the softer condition (overridable via explicitauth_type)The original
nil, nilguards inConfigureare preserved as a safety net.Tests
TestCredentialsChain_CloudFiltering_*to use avalidatingStrategytest helper implementing the new interfaceconfigpackage tests pass