AuthorizedSession.configure_mtls_channel raises an exception if the optional OpenSSL package is not installed. This may have been ok with mtls was fully opt-in, but now it is automatically enabled based on the environment, so these failures can hit users by surprise. This seems to be an issue with google-auth>=2.49.0
I am seeing this triggered automatically on the Bigtable rest tests (client sets up a new transport,, which calls configure_mtls_channel, which triggers the exception)
The docstring also seems out of date, since it says "The function does nothing unless GOOGLE_API_USE_CLIENT_CERTIFICATE is explicitly set to true"
A couple options on how to address this:
- we could change check_use_client_cert to take this dependency into account when deciding whether to enable mtls
- we could also change configure_mtls_channel to do nothing if the dependency is missing, effectively disabling mtls
- There is also the question of whether OpenSSL should be made a required dependency, if mTLS is going to be the default going forward
AuthorizedSession.configure_mtls_channel raises an exception if the optional OpenSSL package is not installed. This may have been ok with mtls was fully opt-in, but now it is automatically enabled based on the environment, so these failures can hit users by surprise. This seems to be an issue with google-auth>=2.49.0
I am seeing this triggered automatically on the Bigtable rest tests (client sets up a new transport,, which calls configure_mtls_channel, which triggers the exception)
The docstring also seems out of date, since it says "The function does nothing unless
GOOGLE_API_USE_CLIENT_CERTIFICATEis explicitly set totrue"A couple options on how to address this: