feat(credentials): add support for creating ComputeEngine credentials explicitly (#15789)

Author: scotthart

google/cloud/credentials.cc

@@ -63,6 +63,11 @@ std::shared_ptr<Credentials> MakeApiKeyCredentials(std::string api_key,
                                                   std::move(opts));
 }
 
+std::shared_ptr<Credentials> MakeComputeEngineCredentials(Options opts) {
+  return std::make_shared<internal::ComputeEngineCredentialsConfig>(
+      std::move(opts));
+}
+
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace cloud
 }  // namespace google

google/cloud/credentials.h

@@ -370,6 +370,31 @@ std::shared_ptr<Credentials> MakeExternalAccountCredentials(
 std::shared_ptr<Credentials> MakeApiKeyCredentials(std::string api_key,
                                                    Options opts = {});
 
+/**
+ * Creates credentials for the VM's specified service account.
+ *
+ * When your application is deployed to a GCP environment such as GCE, GKE, or
+ * Cloud Run, each of these deployment environments provides a default service
+ * account to the application [aip/4115]. These environments offer mechanisms to
+ * change the default service account, and thus the credentials based on that
+ * service account, without any code changes to your application.
+ *
+ * @see https://cloud.google.com/docs/authentication for more information on
+ *     authentication in GCP.
+ *
+ * @see https://cloud.google.com/docs/authentication/client-libraries for more
+ *     information on authentication for client libraries.
+ *
+ * [aip/4115]: https://google.aip.dev/auth/4115
+ *
+ * @ingroup guac
+ *
+ * @param opts optional configuration values.  Note that the effect of these
+ *     parameters depends on the underlying transport. For example,
+ *     `LoggingComponentsOption` is ignored by gRPC-based services.
+ */
+std::shared_ptr<Credentials> MakeComputeEngineCredentials(Options opts = {});
+
 /**
  * Configure the delegates for `MakeImpersonateServiceAccountCredentials()`
  *

google/cloud/google_cloud_cpp_grpc_utils.bzl

@@ -63,6 +63,7 @@ google_cloud_cpp_grpc_utils_hdrs = [
     "internal/grpc_api_key_authentication.h",
     "internal/grpc_async_access_token_cache.h",
     "internal/grpc_channel_credentials_authentication.h",
+    "internal/grpc_compute_engine_authentication.h",
     "internal/grpc_impersonate_service_account.h",
     "internal/grpc_metadata_view.h",
     "internal/grpc_opentelemetry.h",
@@ -102,6 +103,7 @@ google_cloud_cpp_grpc_utils_srcs = [
     "internal/grpc_api_key_authentication.cc",
     "internal/grpc_async_access_token_cache.cc",
     "internal/grpc_channel_credentials_authentication.cc",
+    "internal/grpc_compute_engine_authentication.cc",
     "internal/grpc_impersonate_service_account.cc",
     "internal/grpc_opentelemetry.cc",
     "internal/grpc_request_metadata.cc",

google/cloud/google_cloud_cpp_grpc_utils.cmake

@@ -78,6 +78,8 @@ add_library(
     internal/grpc_async_access_token_cache.h
     internal/grpc_channel_credentials_authentication.cc
     internal/grpc_channel_credentials_authentication.h
+    internal/grpc_compute_engine_authentication.cc
+    internal/grpc_compute_engine_authentication.h
     internal/grpc_impersonate_service_account.cc
     internal/grpc_impersonate_service_account.h
     internal/grpc_metadata_view.h
@@ -261,6 +263,7 @@ if (BUILD_TESTING)
         internal/grpc_api_key_authentication_test.cc
         internal/grpc_async_access_token_cache_test.cc
         internal/grpc_channel_credentials_authentication_test.cc
+        internal/grpc_compute_engine_authentication_test.cc
         internal/grpc_opentelemetry_test.cc
         internal/grpc_request_metadata_test.cc
         internal/grpc_service_account_authentication_test.cc

google/cloud/google_cloud_cpp_grpc_utils_unit_tests.bzl

@@ -49,6 +49,7 @@ google_cloud_cpp_grpc_utils_unit_tests = [
     "internal/grpc_api_key_authentication_test.cc",
     "internal/grpc_async_access_token_cache_test.cc",
     "internal/grpc_channel_credentials_authentication_test.cc",
+    "internal/grpc_compute_engine_authentication_test.cc",
     "internal/grpc_opentelemetry_test.cc",
     "internal/grpc_request_metadata_test.cc",
     "internal/grpc_service_account_authentication_test.cc",

google/cloud/internal/credentials_impl.cc

@@ -101,6 +101,9 @@ ApiKeyConfig::ApiKeyConfig(std::string api_key, Options opts)
     : api_key_(std::move(api_key)),
       options_(PopulateAuthOptions(std::move(opts))) {}
 
+ComputeEngineCredentialsConfig::ComputeEngineCredentialsConfig(Options opts)
+    : options_(PopulateAuthOptions(std::move(opts))) {}
+
 }  // namespace internal
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace cloud

google/cloud/internal/credentials_impl.h

@@ -40,6 +40,7 @@ class ImpersonateServiceAccountConfig;
 class ServiceAccountConfig;
 class ExternalAccountConfig;
 class ApiKeyConfig;
+class ComputeEngineCredentialsConfig;
 
 std::shared_ptr<Credentials> MakeErrorCredentials(Status error_status);
 
@@ -54,6 +55,7 @@ class CredentialsVisitor {
   virtual void visit(ServiceAccountConfig const&) = 0;
   virtual void visit(ExternalAccountConfig const&) = 0;
   virtual void visit(ApiKeyConfig const&) = 0;
+  virtual void visit(ComputeEngineCredentialsConfig const&) = 0;
 
   static void dispatch(Credentials const& credentials,
                        CredentialsVisitor& visitor);
@@ -183,6 +185,19 @@ class ApiKeyConfig : public Credentials {
   Options options_;
 };
 
+class ComputeEngineCredentialsConfig : public Credentials {
+ public:
+  explicit ComputeEngineCredentialsConfig(Options opts);
+  ~ComputeEngineCredentialsConfig() override = default;
+
+  Options const& options() const { return options_; }
+
+ private:
+  void dispatch(CredentialsVisitor& v) const override { v.visit(*this); }
+
+  Options options_;
+};
+
 /// A helper function to initialize Auth options.
 Options PopulateAuthOptions(Options options);
 

google/cloud/internal/grpc_compute_engine_authentication.cc

@@ -0,0 +1,55 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/grpc_compute_engine_authentication.h"
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+GrpcComputeEngineAuthentication::GrpcComputeEngineAuthentication(
+    Options const& opts)
+    : credentials_(grpc::GoogleComputeEngineCredentials()) {
+  auto cainfo = LoadCAInfo(opts);
+  if (cainfo) ssl_options_.pem_root_certs = std::move(*cainfo);
+}
+
+std::shared_ptr<grpc::Channel> GrpcComputeEngineAuthentication::CreateChannel(
+    std::string const& endpoint, grpc::ChannelArguments const& arguments) {
+  return grpc::CreateCustomChannel(endpoint, grpc::SslCredentials(ssl_options_),
+                                   arguments);
+}
+
+bool GrpcComputeEngineAuthentication::RequiresConfigureContext() const {
+  return true;
+}
+
+Status GrpcComputeEngineAuthentication::ConfigureContext(
+    grpc::ClientContext& context) {
+  context.set_credentials(credentials_);
+  return Status{};
+}
+
+future<StatusOr<std::shared_ptr<grpc::ClientContext>>>
+GrpcComputeEngineAuthentication::AsyncConfigureContext(
+    std::shared_ptr<grpc::ClientContext> context) {
+  context->set_credentials(credentials_);
+  return make_ready_future(make_status_or(std::move(context)));
+}
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google

google/cloud/internal/grpc_compute_engine_authentication.h

@@ -0,0 +1,51 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_COMPUTE_ENGINE_AUTHENTICATION_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_COMPUTE_ENGINE_AUTHENTICATION_H
+
+#include "google/cloud/internal/credentials_impl.h"
+#include "google/cloud/internal/unified_grpc_credentials.h"
+#include "google/cloud/version.h"
+#include <grpcpp/grpcpp.h>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+
+class GrpcComputeEngineAuthentication : public GrpcAuthenticationStrategy {
+ public:
+  explicit GrpcComputeEngineAuthentication(Options const& opts = {});
+  ~GrpcComputeEngineAuthentication() override = default;
+
+  std::shared_ptr<grpc::Channel> CreateChannel(
+      std::string const& endpoint,
+      grpc::ChannelArguments const& arguments) override;
+  bool RequiresConfigureContext() const override;
+  Status ConfigureContext(grpc::ClientContext&) override;
+  future<StatusOr<std::shared_ptr<grpc::ClientContext>>> AsyncConfigureContext(
+      std::shared_ptr<grpc::ClientContext> context) override;
+
+ private:
+  std::shared_ptr<grpc::CallCredentials> credentials_;
+  grpc::SslCredentialsOptions ssl_options_;
+};
+
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_INTERNAL_GRPC_COMPUTE_ENGINE_AUTHENTICATION_H

google/cloud/internal/grpc_compute_engine_authentication_test.cc

@@ -0,0 +1,47 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/internal/grpc_compute_engine_authentication.h"
+#include "google/cloud/testing_util/status_matchers.h"
+#include <gmock/gmock.h>
+
+namespace google {
+namespace cloud {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace internal {
+namespace {
+
+using ::google::cloud::testing_util::IsOk;
+
+TEST(GrpcComputeEngineAuthenticationTest, Simple) {
+  GrpcComputeEngineAuthentication auth;
+
+  auto channel = auth.CreateChannel("localhost:1", grpc::ChannelArguments{});
+  EXPECT_NE(nullptr, channel.get());
+
+  for (auto attempt : {1, 2, 3}) {
+    SCOPED_TRACE("Running attempt " + std::to_string(attempt));
+    grpc::ClientContext context;
+    EXPECT_EQ(nullptr, context.credentials());
+    auto status = auth.ConfigureContext(context);
+    EXPECT_THAT(status, IsOk());
+    EXPECT_NE(nullptr, context.credentials());
+  }
+}
+
+}  // namespace
+}  // namespace internal
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace cloud
+}  // namespace google