Skip to content

Fix CloudSecretManagerBackend regression with explicit project_id (issue #61217) #61654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dv-gorasiya wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix CloudSecretManagerBackend regression with explicit project_id (issue #61217) #61654

dv-gorasiya wants to merge 2 commits into from
+12 −11

Conversation

@dv-gorasiya
Copy link

@dv-gorasiya dv-gorasiya commented Feb 8, 2026
edited
Loading

Summary

Fixes #61217: CloudSecretManagerBackend with explicit project_id fails when Application Default Credentials (ADC) have no default project.

Root Cause

_get_credentials_using_adc() raises an AirflowException when google.auth.default() returns None project_id. This occurs before CloudSecretManagerBackend.__init__ can apply the explicit project_id parameter, causing the backend to fail even when a valid project ID is provided.

Changes

  1. credentials_provider.py_get_credentials_using_adc() now returns an empty string ("") instead of raising when ADC yields None project_id.
  2. secret_manager.py – Added validation in __init__ that raises AirflowException if neither ADC nor the explicit project_id parameter provides a project ID.
  3. Formatting – Applied black and isort to both modified files.

Backward Compatibility

  • Callers that previously got the exception still get one – the exception is now raised from CloudSecretManagerBackend.__init__ with a clearer message.
  • Callers that pass an explicit project_id now work correctly – the explicit parameter is honored.
  • No change to the public APIget_credentials_and_project_id() still returns tuple[Credentials, str] (empty string is a valid str).

Testing

  • Manual verification with a minimal test script (included in the PR description).
  • Existing unit tests for CloudSecretManagerBackend and credentials_provider pass because they mock google.auth.default to return a valid project ID.
  • New unit test added to test_credentials_provider.py: test_get_credentials_and_project_id_with_default_auth_no_project_id verifies that get_credentials_and_project_id() returns an empty string when ADC yields None project_id.
  • The fix ensures the regression described in the issue is resolved: CloudSecretManagerBackend(project_id="my-project") now works when ADC lacks a default project.

Impact on Other Callers

Other components that call get_credentials_and_project_id() without an explicit key_secret_project_id will receive an empty string instead of an AirflowException. If those components do not validate the project ID, they may propagate the empty string to downstream Google APIs, which will produce a different error (e.g., “Invalid project”). This is acceptable because:

  1. The primary regression (explicit project_id being ignored) is fixed.
  2. The scenario occurs only when ADC has no default project and the caller does not provide an explicit project ID via key_secret_project_id (or similar).
  3. The error message change is minimal; the user still gets an error indicating something is wrong with the project ID.

Checklist

  • My commit messages are descriptive and reference the issue number.
  • I have reviewed the existing unit tests for the affected modules.
  • I have added/updated tests that verify the fix (if applicable).
  • Any dependent changes have been merged and published.

Related Issues

@dv-gorasiya
Fix CloudSecretManagerBackend regression with explicit project_id (is…
937b2a2 
…sue apache#61217)

Previously,  would fail when
Application Default Credentials (ADC) had no default project, because
 raised an AirflowException before the explicit
project_id could be applied.

Changes:
1.  returns empty string ("") instead of raising
   when ADC yields None project_id.
2.  now validates that a project_id is
   available (either from ADC or explicit parameter) and raises a clear error.

Backward compatibility:
- Callers that relied on the exception still get one (now from the backend).
- Callers that pass an explicit project_id now work correctly.
- No change to the public API of .
@boring-cyborg boring-cyborg bot added area:providers area:secrets provider:google Google (including GCP) related issues labels Feb 8, 2026
@dv-gorasiya dv-gorasiya marked this pull request as ready for review February 8, 2026 23:48
@dv-gorasiya dv-gorasiya requested a review from shahar1 as a code owner February 8, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shahar1 shahar1 Awaiting requested review from shahar1 shahar1 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area:providers area:secrets provider:google Google (including GCP) related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CloudSecretManagerBackend fails with ADC when explicit project_id provided (regression in 19.4.0)

1 participant

@dv-gorasiya