feat(auth): Add option for metadata server application default credentials without project override (#12948)

2026-03-17 01:21:10 -07:00 · 2025-11-14 11:39:11 -05:00
parent 016b5b42e2
commit 9d74b7c0e8
14 changed files with 113 additions and 35 deletions
--- a/packages/cli/src/config/auth.test.ts
+++ b/packages/cli/src/config/auth.test.ts
@@ -32,8 +32,8 @@ describe('validateAuthMethod', () => {
    expect(validateAuthMethod(AuthType.LOGIN_WITH_GOOGLE)).toBeNull();
  });

-  it('should return null for CLOUD_SHELL', () => {
-    expect(validateAuthMethod(AuthType.CLOUD_SHELL)).toBeNull();
+  it('should return null for COMPUTE_ADC', () => {
+    expect(validateAuthMethod(AuthType.COMPUTE_ADC)).toBeNull();
  });

  describe('USE_GEMINI', () => {
--- a/packages/cli/src/config/auth.ts
+++ b/packages/cli/src/config/auth.ts
@@ -11,7 +11,7 @@ export function validateAuthMethod(authMethod: string): string | null {
  loadEnvironment(loadSettings().merged);
  if (
    authMethod === AuthType.LOGIN_WITH_GOOGLE ||
-    authMethod === AuthType.CLOUD_SHELL
+    authMethod === AuthType.COMPUTE_ADC
  ) {
    return null;
  }
--- a/packages/cli/src/gemini.tsx
+++ b/packages/cli/src/gemini.tsx
@@ -284,13 +284,19 @@ export async function main() {
    validateDnsResolutionOrder(settings.merged.advanced?.dnsResolutionOrder),
  );

-  // Set a default auth type if one isn't set.
-  if (!settings.merged.security?.auth?.selectedType) {
-    if (process.env['CLOUD_SHELL'] === 'true') {
+  // Set a default auth type if one isn't set or is set to a legacy type
+  if (
+    !settings.merged.security?.auth?.selectedType ||
+    settings.merged.security?.auth?.selectedType === AuthType.LEGACY_CLOUD_SHELL
+  ) {
+    if (
+      process.env['CLOUD_SHELL'] === 'true' ||
+      process.env['GEMINI_CLI_USE_COMPUTE_ADC'] === 'true'
+    ) {
      settings.setValue(
        SettingScope.User,
        'selectedAuthType',
-        AuthType.CLOUD_SHELL,
+        AuthType.COMPUTE_ADC,
      );
    }
  }
--- a/packages/cli/src/ui/auth/AuthDialog.test.tsx
+++ b/packages/cli/src/ui/auth/AuthDialog.test.tsx
@@ -109,8 +109,41 @@ describe('AuthDialog', () => {
    const items = mockedRadioButtonSelect.mock.calls[0][0].items;
    expect(items).toContainEqual({
      label: 'Use Cloud Shell user credentials',
-      value: AuthType.CLOUD_SHELL,
-      key: AuthType.CLOUD_SHELL,
+      value: AuthType.COMPUTE_ADC,
+      key: AuthType.COMPUTE_ADC,
+    });
+  });
+
+  it('does not show metadata server application default credentials option in Cloud Shell environment', () => {
+    process.env['CLOUD_SHELL'] = 'true';
+    renderWithProviders(<AuthDialog {...props} />);
+    const items = mockedRadioButtonSelect.mock.calls[0][0].items;
+    expect(items).not.toContainEqual({
+      label: 'Use metadata server application default credentials',
+      value: AuthType.COMPUTE_ADC,
+      key: AuthType.COMPUTE_ADC,
+    });
+  });
+
+  it('shows metadata server application default credentials option when GEMINI_CLI_USE_COMPUTE_ADC env var is true', () => {
+    process.env['GEMINI_CLI_USE_COMPUTE_ADC'] = 'true';
+    renderWithProviders(<AuthDialog {...props} />);
+    const items = mockedRadioButtonSelect.mock.calls[0][0].items;
+    expect(items).toContainEqual({
+      label: 'Use metadata server application default credentials',
+      value: AuthType.COMPUTE_ADC,
+      key: AuthType.COMPUTE_ADC,
+    });
+  });
+
+  it('does not show Cloud Shell option when when GEMINI_CLI_USE_COMPUTE_ADC env var is true', () => {
+    process.env['GEMINI_CLI_USE_COMPUTE_ADC'] = 'true';
+    renderWithProviders(<AuthDialog {...props} />);
+    const items = mockedRadioButtonSelect.mock.calls[0][0].items;
+    expect(items).not.toContainEqual({
+      label: 'Use Cloud Shell user credentials',
+      value: AuthType.COMPUTE_ADC,
+      key: AuthType.COMPUTE_ADC,
    });
  });

--- a/packages/cli/src/ui/auth/AuthDialog.tsx
+++ b/packages/cli/src/ui/auth/AuthDialog.tsx
@@ -50,11 +50,19 @@ export function AuthDialog({
      ? [
          {
            label: 'Use Cloud Shell user credentials',
-            value: AuthType.CLOUD_SHELL,
-            key: AuthType.CLOUD_SHELL,
+            value: AuthType.COMPUTE_ADC,
+            key: AuthType.COMPUTE_ADC,
          },
        ]
-      : []),
+      : process.env['GEMINI_CLI_USE_COMPUTE_ADC'] === 'true'
+        ? [
+            {
+              label: 'Use metadata server application default credentials',
+              value: AuthType.COMPUTE_ADC,
+              key: AuthType.COMPUTE_ADC,
+            },
+          ]
+        : []),
    {
      label: 'Use Gemini API Key',
      value: AuthType.USE_GEMINI,