feat: GCP Auth Login

[PrathameshBhagat]

Description 📣

Users can now login using just one line using GCP Auth (just like AWS Auth):

sdk.Auth().GCPAuthLogin(<machine-identity-id>);

Where machine-identity-id is the machine identity id with a GCP auth set up.

I have tried to keep it as close as possible to AWS Auth.

Demo Youtube video

https://youtu.be/IQH72UhPqMI

Please use 2x if you feel it's a bit longer.

Please note giving the service account Service Account Token Creator permission is also necessary, missed it in video, please let me know if you need a video me creating Application Default credential.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

I have tested it with the code given below will soon upload a youTube video with me using it, and I'm also looking to write automated tests as in AWS Auth but it's taking long so I'll appreciate any help.

Here

public class m {

  public static void main(String[] args) throws Exception{
    InfisicalSdk sdk = new InfisicalSdk(
      new SdkConfig.Builder()
        // Optional, will default to https://app.infisical.com
        .withSiteUrl("https://app.infisical.com")
        .build()
    );


    sdk.Auth().GCPAuthLogin(<my-identity-id-with-GCP-auth-setup>);

    /* Used this first then used my method above and both printed correct output
        sdk.Auth().UniversalAuthLogin(
          <my-client-id>,
          <my-secret>
        );
    */


    var secret = sdk.Secrets().ListSecrets(
      <my-project-id>,
      "dev",
      "/",
      null, // Expand Secret References (boolean, optional)
      null, // Include Imports (boolean, optional)
      null  // Secret Type (shared/personal, defaults to shared, optional)
      );

    System.out.println(secret);
  }
}

Note

If running locally and not in a GCP instance, you need to provide it credentials via an environment variable named GOOGLE_APPLICATION_CREDENTIALS created from a proper service account and the service account should have
Service Account Token Creator permission to create JWT tokens. ** I missed this in the video, the permission thing.**

Else if running in a GCP instance it uses credentials from service account linked to the instance and you do not need to do anything in this case but in both cases the service account should have Service Account Token Creator permissions.

Also in both cases i.e. running in a GCP instance or locally, the "machine-identity-id" provided should have a GCP Auth setup with "Token" option selected and NOT IAM, via Infisical Dashboard and added to an Infisical project .

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements GCP authentication support for the Infisical Java SDK, providing parity with the existing AWS authentication functionality. The change adds a new GCPAuthProvider class that handles Google Cloud authentication flows using Google's official auth library, allowing users to authenticate with a single method call: sdk.Auth().GCPAuthLogin(identityId). The implementation follows the established pattern used by AWS auth, supporting both local development (via GOOGLE_APPLICATION_CREDENTIALS environment variable) and GCP instance deployment scenarios. The PR includes integration testing, proper dependency management in pom.xml, and maintains consistency with the existing codebase architecture by adding the new authentication method to the AuthClient class.

PR Description Notes:

• The demonstration video link is provided but requires 2x speed viewing
• Missing documentation in the /docs folder for customer discovery

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	3/5	New GCP auth provider that generates ID tokens using Google's credential libraries with concerning exception handling
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Added GCPAuthLogin method following existing AWS auth pattern with proper integration
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	4/5	New integration test for GCP auth functionality following established testing patterns
pom.xml	4/5	Added Google Auth Library dependency for GCP authentication support

Confidence score: 3/5

• This PR introduces new functionality but has some concerning implementation details that could cause production issues
• Score lowered due to poor exception handling in GCPAuthProvider that masks important credential configuration errors by converting IOException to RuntimeException, and potential security concerns around input validation for the identityId parameter
• Pay close attention to GCPAuthProvider.java for exception handling improvements and consider adding input validation for the identityId parameter

Sequence Diagram

sequenceDiagram
    participant User
    participant AuthClient
    participant GCPAuthProvider
    participant GoogleCredentials
    participant IdTokenCredentials
    participant ApiClient
    participant InfisicalAPI

    User->>AuthClient: "GCPAuthLogin(identityId)"
    AuthClient->>GCPAuthProvider: "getGCPAuthInput(identityId)"
    GCPAuthProvider->>GoogleCredentials: "getApplicationDefault()"
    GoogleCredentials-->>GCPAuthProvider: "credentials"
    GCPAuthProvider->>IdTokenCredentials: "newBuilder().setIdTokenProvider().setTargetAudience(identityId).build()"
    IdTokenCredentials-->>GCPAuthProvider: "idTokenCredentials"
    GCPAuthProvider->>IdTokenCredentials: "refreshAccessToken().getTokenValue()"
    IdTokenCredentials-->>GCPAuthProvider: "idToken"
    GCPAuthProvider->>GCPAuthProvider: "create HashMap with identityId and jwt"
    GCPAuthProvider-->>AuthClient: "HashMap body"
    AuthClient->>ApiClient: "post(url, body, MachineIdentityCredential.class)"
    ApiClient->>InfisicalAPI: "POST /api/v1/auth/gcp-auth/login"
    InfisicalAPI-->>ApiClient: "credential response"
    ApiClient-->>AuthClient: "MachineIdentityCredential"
    AuthClient->>AuthClient: "onAuthenticate.accept(credential.getAccessToken())"
    AuthClient-->>User: "authentication complete"

Loading

Context used:

• Rule from dashboard - # Greptile Code Review Prompt: OR Query Safety Check (knex.js)

Objective

Flag database queries t... (source)

_{4 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: Consider using envVars.getMachineIdentityId() if this method exists, for consistency with other environment variable access patterns in the codebase

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java
Line: 22:22

Comment:
**style:** Consider using envVars.getMachineIdentityId() if this method exists, for consistency with other environment variable access patterns in the codebase

How can I resolve this? If you propose a fix, please make it concise.

[PrathameshBhagat]

I didn't wanted to update existing code hence did this, let me know if I need to change this.

[greptile-apps]

style: Converting IOException to RuntimeException may hide important credential configuration issues. Consider providing more specific error messages or allowing IOException to propagate with better context.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java
Line: 39:41

Comment:
**style:** Converting IOException to RuntimeException may hide important credential configuration issues. Consider providing more specific error messages or allowing IOException to propagate with better context.

How can I resolve this? If you propose a fix, please make it concise.

[PrathameshBhagat]

I saw this in AWSAuthProvider.java the same did this in here, hence did it, let me know if I need to change this.
https://github.com/Infisical/java-sdk/blob/main/src/main/java/com/infisical/sdk/auth/AwsAuthProvider.java#L104

[PrathameshBhagat]

@greptileai I didn't use this System.getenv("INFISICAL_MACHINE_IDENTITY_ID"); in place of envVars.getMachineIdentityId() as i didn't wanted to modify existing code, and I did that with IOException cause I saw this in AWSAuthProvider.java : catch (JsonProcessingException e) {
throw new RuntimeException(e);
}, now review this.

[greptile-apps]

Greptile Overview

Greptile Summary

This review covers only the changes made since the last review, not the entire PR. The changes include two minor updates: a formatting fix in the GCP authentication method by removing extra spacing before a comma parameter, and dependency updates in pom.xml. The pom.xml changes update logback-classic from version 1.5.6 to 1.5.13 and add the <optional>true</optional> tag to the GCP google-auth-library-oauth2-http dependency. These changes address the previous review feedback by making the GCP dependency optional (matching the AWS dependency pattern) and updating to a newer logback version with security improvements.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/resources/AuthClient.java	5/5	Minor formatting fix removing extra space before comma in GCP auth method call
pom.xml	5/5	Updated logback version to 1.5.13 and marked GCP dependency as optional

Confidence score: 5/5

• This PR is safe to merge with minimal risk as it contains only minor formatting improvements and dependency updates
• Score reflects simple cosmetic changes and best practice dependency management with no functional modifications to core logic
• No files require special attention as these are straightforward maintenance updates

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[PrathameshBhagat]

@greptileai I didn't use this System.getenv("INFISICAL_MACHINE_IDENTITY_ID"); in place of envVars.getMachineIdentityId() as I didn't wanted to modify existing code, and I did that with IOException cause I saw this in AWSAuthProvider.java : catch (JsonProcessingException e) {
throw new RuntimeException(e);
}, now review this complete PR.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR introduces Google Cloud Platform (GCP) authentication support to the Infisical Java SDK, enabling users to authenticate with a single method call similar to the existing AWS authentication feature. The implementation adds a new GCPAuthLogin method to the AuthClient class that follows the established authentication patterns in the codebase.

The changes include a new GCPAuthProvider class that leverages Google's OAuth2 library to automatically handle credential discovery and JWT token generation. The provider fetches credentials either from the GOOGLE_APPLICATION_CREDENTIALS environment variable or from GCP instance metadata, creates ID token credentials with the machine identity ID as the target audience, and returns the necessary authentication parameters.

The PR also updates the Maven POM to include the required Google authentication library as an optional dependency (following feedback from previous reviews), maintains consistency with the existing AWS auth pattern, and includes an integration test that validates the end-to-end authentication flow and secret retrieval functionality.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	4/5	New provider class implementing GCP JWT token generation using Google OAuth2 library
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Added GCPAuthLogin method following existing AWS auth pattern
pom.xml	4/5	Added optional GCP auth dependency and updated logback version
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	4/5	New integration test validating GCP auth functionality and secret retrieval

Confidence score: 4/5

• This PR is safe to merge with minimal risk as it follows established patterns and doesn't modify existing functionality
• Score reflects clean implementation following existing conventions, but minor improvements could be made to error handling and input validation
• Pay close attention to the exception handling in GCPAuthProvider.java which could benefit from more specific error messages

Sequence Diagram

sequenceDiagram
    participant User
    participant InfisicalSdk
    participant AuthClient
    participant GCPAuthProvider
    participant GoogleCredentials
    participant IdTokenCredentials
    participant ApiClient
    participant InfisicalAPI

    User->>InfisicalSdk: "GCPAuthLogin(identityId)"
    InfisicalSdk->>AuthClient: "GCPAuthLogin(identityId)"
    AuthClient->>GCPAuthProvider: "getGCPAuthInput(identityId)"
    GCPAuthProvider->>GoogleCredentials: "getApplicationDefault()"
    GoogleCredentials-->>GCPAuthProvider: "credentials"
    GCPAuthProvider->>IdTokenCredentials: "newBuilder().setIdTokenProvider().setTargetAudience().build()"
    IdTokenCredentials-->>GCPAuthProvider: "tokenCredentials"
    GCPAuthProvider->>IdTokenCredentials: "refreshAccessToken().getTokenValue()"
    IdTokenCredentials-->>GCPAuthProvider: "idToken"
    GCPAuthProvider-->>AuthClient: "HashMap{identityId, jwt}"
    AuthClient->>ApiClient: "post('/api/v1/auth/gcp-auth/login', input)"
    ApiClient->>InfisicalAPI: "POST /api/v1/auth/gcp-auth/login"
    InfisicalAPI-->>ApiClient: "MachineIdentityCredential"
    ApiClient-->>AuthClient: "credential"
    AuthClient->>AuthClient: "onAuthenticate.accept(accessToken)"
    AuthClient-->>InfisicalSdk: "authentication complete"
    InfisicalSdk-->>User: "authenticated"

Loading

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

syntax: Missing space before opening brace - should be GCPAuthIntegrationTest {

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java
Line: 12:12

Comment:
**syntax:** Missing space before opening brace - should be `GCPAuthIntegrationTest {`

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

style: style: Consider adding input validation for the identityId parameter, similar to how LdapAuthLogin validates its input on lines 33-37. This would provide consistent error handling across auth methods

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/resources/AuthClient.java
Line: 60:66

Comment:
**style:** **style:** Consider adding input validation for the identityId parameter, similar to how LdapAuthLogin validates its input on lines 33-37. This would provide consistent error handling across auth methods

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Missing null check for identityId parameter could cause NullPointerException during token creation

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java
Line: 14:14

Comment:
**logic:** Missing null check for identityId parameter could cause NullPointerException during token creation

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Unsafe cast to IdTokenProvider without type checking - could throw ClassCastException if GoogleCredentials doesn't implement IdTokenProvider

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java
Line: 24:24

Comment:
**logic:** Unsafe cast to IdTokenProvider without type checking - could throw ClassCastException if GoogleCredentials doesn't implement IdTokenProvider

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

syntax: Typo in comment: 'bulider' should be 'builder'

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java
Line: 32:32

Comment:
**syntax:** Typo in comment: 'bulider' should be 'builder'

How can I resolve this? If you propose a fix, please make it concise.

[PrathameshBhagat]

@greptileai review this complete PR.

[greptile-apps]

Greptile Overview

Greptile Summary

This review covers only the changes made since the last review, not the entire PR. The developer has addressed most of the previous review feedback by implementing input validation in both GCPAuthProvider.java and AuthClient.java. The GCPAuthProvider.java file now includes null/empty checks for the identityId parameter, preventing potential NullPointerException during token creation. Similar input validation was added to the AuthClient.java file, maintaining consistency with other authentication methods in the codebase.

The integration test file GCPAuthIntegrationTest.java had a minor formatting fix applied, adding a space before the opening brace in the class declaration. However, one typo remains in the error message "credentails" instead of "credentials" in line 45 of GCPAuthProvider.java. The changes demonstrate good responsiveness to feedback and maintain the established patterns of the SDK's authentication architecture.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	4/5	Added input validation for identityId parameter and improved error handling, but still contains one typo in error message
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Implemented input validation for GCP authentication method to match other auth methods, minor formatting inconsistencies remain
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	4/5	Applied formatting fix to class declaration, test structure follows established patterns but could use environment variable utility class

Confidence score: 4/5

• This PR is safe to merge with minimal risk as it addresses most security and validation concerns raised in previous reviews
• Score reflects good response to feedback with proper input validation implementation, but points deducted for remaining typo and minor formatting inconsistencies
• Pay close attention to GCPAuthProvider.java for the remaining typo in the error message that should be corrected before merge

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: Extra space before closing parenthesis in the condition

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/resources/AuthClient.java
Line: 62:62

Comment:
**style:** Extra space before closing parenthesis in the condition

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

style: Extra space before opening parenthesis in the exception constructor

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/main/java/com/infisical/sdk/resources/AuthClient.java
Line: 64:64

Comment:
**style:** Extra space before opening parenthesis in the exception constructor

How can I resolve this? If you propose a fix, please make it concise.

[PrathameshBhagat]

@greptileai "Review this complete PR"

[greptile-apps]

Greptile Overview

Greptile Summary

This review covers only the minor formatting changes made since the last review. The changes are purely cosmetic whitespace fixes that improve code consistency by removing unnecessary spaces around parentheses and in the exception constructor in the GCPAuthLogin method. These formatting adjustments align the code with Java formatting standards used elsewhere in the codebase, making the authentication method consistent with other auth methods in the same class. No functional changes were made to the GCP authentication logic itself.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/resources/AuthClient.java	5/5	Minor whitespace formatting fixes in GCPAuthLogin method
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	5/5	Fixed typo in error message from "credentails" to "credentials"

Confidence score: 5/5

• This PR is safe to merge with minimal risk as it only contains formatting fixes and typo corrections
• Score reflects that these are purely cosmetic changes addressing previous review feedback with no functional modifications
• No files require special attention as all changes are minor code quality improvements

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[PrathameshBhagat]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

This review covers only the changes made since the last review, not the entire PR. The changes show a complete removal of the GCP authentication feature that was previously added. All core GCP auth implementation files have been deleted, including the GCPAuthProvider.java class, the GCPAuthLogin method from AuthClient.java, and the integration test GCPAuthIntegrationTest.java. Additionally, the required Google Auth library dependency has been removed from pom.xml. This creates a significant contradiction with the PR title "feat: GCP Auth Login" and description, which claim to add GCP authentication functionality. The changes appear to be a complete rollback of the GCP auth feature rather than an addition.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	2/5	Complete deletion of the core GCP authentication provider implementation
src/main/java/com/infisical/sdk/resources/AuthClient.java	2/5	Removal of GCPAuthLogin method and related import statements
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	1/5	Complete deletion of GCP authentication integration test
pom.xml	0/5	Removal of required Google Auth library dependency and logback version downgrade

Confidence score: 0/5

• This PR will definitely cause build failures and broken functionality if merged
• Score reflects complete removal of advertised feature, missing critical dependencies, and contradiction between PR description and actual changes
• All files require immediate attention as they represent complete removal of core GCP authentication functionality

Additional Comments (5)

1. src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java, line 1 (link)

   logic: logic: Complete deletion of GCP integration test contradicts the PR's purpose of adding GCP auth functionality. This removes critical test coverage for the new feature being introduced.

2. src/main/java/com/infisical/sdk/resources/AuthClient.java, line 1-62 (link)

   logic: logic: This PR claims to add GCP Auth Login functionality, but the changes show removal of the GCPAuthLogin method and GCPAuthProvider import. This contradicts the PR description and title. The actual implementation may be missing or this could be the wrong diff.

3. src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java, line 1-51 (link)

   logic: Complete deletion of GCPAuthProvider class could break existing GCP authentication functionality. Need to verify that this functionality has been moved elsewhere and that all existing users of this class have been updated.

4. pom.xml, line 95-99 (link)

   logic: logic: Logback version has been downgraded from 1.5.13 to 1.5.6 - this conflicts with the logback-core dependency on line85which is still at 1.5.13. Version mismatch between logback components can cause runtime issues.

5. pom.xml, line 133 (link)

   logic: logic: Critical missing dependency - the google-auth-library-oauth2-http dependency required for GCP authentication has been removed. Without this dependency, the GCPAuthProvider class added in this PR will fail at runtime with ClassNotFoundException.

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[PrathameshBhagat]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

This review covers only the most recent changes in the PR, not the entire PR history. The changes appear to be related to addressing previously identified issues in the GCP authentication implementation. Based on the context, this PR originally introduced GCP authentication support to the Java SDK, mirroring the existing AWS authentication pattern. The new feature allows users to authenticate with a single line of code: sdk.Auth().GCPAuthLogin(<machine-identity-id>). The implementation includes a new GCPAuthProvider class that uses Google's OAuth2 libraries to generate ID tokens, updates to the AuthClient with the new authentication method, Maven dependency additions for Google Auth libraries, and integration tests to verify the functionality.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Adds GCPAuthLogin method with basic input validation following AWS auth pattern
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	2/5	Implements GCP authentication provider but contains critical security vulnerabilities with unsafe casting and poor error handling
pom.xml	4/5	Updates logback version and adds Google Auth library dependency marked as optional
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	4/5	Adds integration test for GCP authentication following established testing patterns

Confidence score: 2/5

• This PR requires careful review due to critical security vulnerabilities in the GCP authentication implementation
• Score lowered due to unsafe type casting that could cause ClassCastException, missing null checks that could lead to runtime exceptions, poor error handling that obscures credential configuration issues, and multiple code style inconsistencies that suggest insufficient testing
• Pay close attention to src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java which contains the most critical issues that could cause production failures

_{4 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: Test assumes secrets exist in the 'dev' environment. Consider adding a comment explaining this prerequisite or making the test more robust by checking if no secrets exist.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java
Line: 53:54

Comment:
**style:** Test assumes secrets exist in the 'dev' environment. Consider adding a comment explaining this prerequisite or making the test more robust by checking if no secrets exist.

How can I resolve this? If you propose a fix, please make it concise.