feat: ability to update credentials on long running client (#4371)

* feat: ability to update credentials on long running client

* chore: generate libraries at Mon Mar  2 15:00:10 UTC 2026

* Update google-cloud-spanner/src/main/java/com/google/cloud/spanner/connection/MutableCredentials.java

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fixed comp issue

* suggestions from gemini review + lint fixes

* chore: generate libraries at Mon Mar  2 15:20:24 UTC 2026

* test IT test

* remove commented out code

* chore: generate libraries at Mon Mar  2 17:08:19 UTC 2026

* added missing override methods

* attempt to fix IT tests

* chore: generate libraries at Tue Mar  3 21:06:51 UTC 2026

* try to use default key file

* chore: generate libraries at Tue Mar  3 21:25:30 UTC 2026

* try to use hardcoded service account file

* chore: generate libraries at Tue Mar  3 22:13:15 UTC 2026

* change to use resource as stream

# Conflicts:
#	google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java

* chore: generate libraries at Wed Mar  4 17:58:06 UTC 2026

* change to use correct project Id

* change to use new api for test

* chore: generate libraries at Wed Mar  4 18:27:30 UTC 2026

* fix instance name

* add invalid test key for IT tests

* change test key to be invalid

* chore: generate libraries at Wed Mar  4 19:01:08 UTC 2026

* working IT test

* need to check error message on kokoro as its different then local

* need to check error message on kokoro as its different then local

* provide default scopes constructor

* chore: generate libraries at Thu Mar  5 15:41:33 UTC 2026

* testing default credential accesss

* chore: generate libraries at Thu Mar  5 15:59:43 UTC 2026

* testing default credential accesss

* chore: generate libraries at Thu Mar  5 16:16:58 UTC 2026

* try to disable the nocredentials process

* chore: generate libraries at Thu Mar  5 18:31:08 UTC 2026

* hopefully fixed IT tests

# Conflicts:
#	google-cloud-spanner/src/test/java/com/google/cloud/spanner/connection/it/ITMutableCredentialsTest.java

* chore: generate libraries at Thu Mar  5 19:17:19 UTC 2026

* cleaned up tasks + added sample code

* chore: generate libraries at Thu Mar  5 20:28:36 UTC 2026

* bump sample dependency so code samples compile

* chore: generate libraries at Thu Mar  5 21:10:30 UTC 2026

* bump sample dependency so code samples compile

* chore: generate libraries at Thu Mar  5 21:49:47 UTC 2026

* updates from PR review

* chore: generate libraries at Fri Mar  6 14:38:15 UTC 2026

* moved IT test to correct package

* chore: generate libraries at Fri Mar  6 14:42:23 UTC 2026

* remove spanner version in samples

* chore: generate libraries at Fri Mar  6 15:13:14 UTC 2026

* remove MutableCredentials to separate PR

* chore: generate libraries at Fri Mar  6 15:23:50 UTC 2026

* added null checks for arguments in MutableCredentials

* chore: generate libraries at Mon Mar  9 13:13:15 UTC 2026

---------

Co-authored-by: cloud-java-bot <cloud-java-bot@google.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 3 people

google-cloud-spanner/src/main/java/com/google/cloud/spanner/MutableCredentials.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.cloud.spanner;
+
+import com.google.auth.CredentialTypeForMetrics;
+import com.google.auth.Credentials;
+import com.google.auth.RequestMetadataCallback;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.IOException;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.concurrent.Executor;
+import javax.annotation.Nonnull;
+
+/**
+ * A mutable {@link Credentials} implementation that delegates authentication behavior to a scoped
+ * {@link ServiceAccountCredentials} instance.
+ *
+ * <p>This class is intended for scenarios where an application needs to replace the underlying
+ * service account credentials for a long-running Spanner Client.
+ *
+ * <p>All operations inherited from {@link Credentials} are forwarded to the current delegate,
+ * including request metadata retrieval and token refresh. Calling {@link
+ * #updateCredentials(ServiceAccountCredentials)} replaces the delegate with a newly scoped
+ * credentials instance created from the same scopes that were provided when this object was
+ * constructed.
+ */
+public class MutableCredentials extends Credentials {
+  private volatile ServiceAccountCredentials delegate;
+  private final Set<String> scopes;
+
+  /** Creates a MutableCredentials instance with default spanner scopes. */
+  public MutableCredentials(ServiceAccountCredentials credentials) {
+    this(credentials, SpannerOptions.SCOPES);
+  }
+
+  public MutableCredentials(
+      @Nonnull ServiceAccountCredentials credentials, @Nonnull Set<String> scopes) {
+    Objects.requireNonNull(credentials, "credentials must not be null");
+    Objects.requireNonNull(scopes, "scopes must not be null");
+    if (scopes.isEmpty()) {
+      throw new IllegalArgumentException("Scopes must not be empty");
+    }
+    this.scopes = new java.util.HashSet<>(scopes);
+    delegate = (ServiceAccountCredentials) credentials.createScoped(this.scopes);
+  }
+
+  /**
+   * Replaces the current delegate with a newly scoped credentials instance.
+   *
+   * <p>Note any in-flight RPC may continue to use the old credentials.
+   *
+   * <p>The provided {@link ServiceAccountCredentials} is scoped using the same scopes that were
+   * supplied when this {@link MutableCredentials} instance was created.
+   *
+   * @param credentials the new base service account credentials to scope and use for client
+   *     authorization.
+   */
+  public void updateCredentials(@Nonnull ServiceAccountCredentials credentials) {
+    Objects.requireNonNull(credentials, "credentials must not be null");
+    delegate = (ServiceAccountCredentials) credentials.createScoped(scopes);
+  }
+
+  @Override
+  public String getAuthenticationType() {
+    return delegate.getAuthenticationType();
+  }
+
+  @Override
+  public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    return delegate.getRequestMetadata(uri);
+  }
+
+  @Override
+  public boolean hasRequestMetadata() {
+    return delegate.hasRequestMetadata();
+  }
+
+  @Override
+  public boolean hasRequestMetadataOnly() {
+    return delegate.hasRequestMetadataOnly();
+  }
+
+  @Override
+  public void refresh() throws IOException {
+    delegate.refresh();
+  }
+
+  @Override
+  public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback) {
+    delegate.getRequestMetadata(uri, executor, callback);
+  }
+
+  @Override
+  public String getUniverseDomain() throws IOException {
+    return delegate.getUniverseDomain();
+  }
+
+  @Override
+  public CredentialTypeForMetrics getMetricsCredentialType() {
+    return delegate.getMetricsCredentialType();
+  }
+}

google-cloud-spanner/src/main/java/com/google/cloud/spanner/SpannerOptions.java

@@ -128,7 +128,7 @@ public class SpannerOptions extends ServiceOptions<Spanner, SpannerOptions> {
   private static final String GOOGLE_DEFAULT_UNIVERSE = "googleapis.com";
   private static final String EXPERIMENTAL_HOST_PROJECT_ID = "default";
 
-  private static final ImmutableSet<String> SCOPES =
+  static final ImmutableSet<String> SCOPES =
       ImmutableSet.of(
           "https://www.googleapis.com/auth/spanner.admin",
           "https://www.googleapis.com/auth/spanner.data");

google-cloud-spanner/src/test/java/com/google/cloud/spanner/MutableCredentialsTest.java

@@ -0,0 +1,196 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.cloud.spanner;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import com.google.auth.CredentialTypeForMetrics;
+import com.google.auth.RequestMetadataCallback;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.Executor;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+@RunWith(JUnit4.class)
+public class MutableCredentialsTest {
+  ServiceAccountCredentials initialCredentials = mock(ServiceAccountCredentials.class);
+  ServiceAccountCredentials initialScopedCredentials = mock(ServiceAccountCredentials.class);
+  ServiceAccountCredentials updatedCredentials = mock(ServiceAccountCredentials.class);
+  ServiceAccountCredentials updatedScopedCredentials = mock(ServiceAccountCredentials.class);
+  Set<String> scopes = new HashSet<>(Arrays.asList("scope-a", "scope-b"));
+  Map<String, List<String>> initialMetadata =
+      Collections.singletonMap("Authorization", Collections.singletonList("v1"));
+  Map<String, List<String>> updatedMetadata =
+      Collections.singletonMap("Authorization", Collections.singletonList("v2"));
+  String initialAuthType = "auth-1";
+  String updatedAuthType = "auth-2";
+  String initialUniverseDomain = "googleapis.com";
+  String updatedUniverseDomain = "abc.goog";
+  CredentialTypeForMetrics initialMetricsCredentialType =
+      CredentialTypeForMetrics.SERVICE_ACCOUNT_CREDENTIALS_JWT;
+  CredentialTypeForMetrics updatedMetricsCredentialType =
+      CredentialTypeForMetrics.SERVICE_ACCOUNT_CREDENTIALS_AT;
+
+  @Test
+  public void testCreateMutableCredentials() throws IOException {
+    setupInitialCredentials();
+
+    MutableCredentials credentials = new MutableCredentials(initialCredentials, scopes);
+    URI testUri = URI.create("https://spanner.googleapis.com");
+    Executor executor = mock(Executor.class);
+    RequestMetadataCallback callback = mock(RequestMetadataCallback.class);
+
+    validateInitialDelegatedCredentialsAreSet(credentials, testUri);
+
+    credentials.getRequestMetadata(testUri, executor, callback);
+
+    credentials.refresh();
+
+    verify(initialScopedCredentials, times(1)).getRequestMetadata(testUri, executor, callback);
+    verify(initialScopedCredentials, times(1)).refresh();
+  }
+
+  @Test
+  public void testCreateMutableCredentialsWithDefaultScopes() throws IOException {
+    Set<String> defaultScopes = SpannerOptions.SCOPES;
+    when(initialCredentials.createScoped(defaultScopes)).thenReturn(initialScopedCredentials);
+    when(initialScopedCredentials.getAuthenticationType()).thenReturn(initialAuthType);
+    when(initialScopedCredentials.getRequestMetadata(any(URI.class))).thenReturn(initialMetadata);
+    when(initialScopedCredentials.getUniverseDomain()).thenReturn(initialUniverseDomain);
+    when(initialScopedCredentials.getMetricsCredentialType())
+        .thenReturn(initialMetricsCredentialType);
+    when(initialScopedCredentials.hasRequestMetadata()).thenReturn(true);
+    when(initialScopedCredentials.hasRequestMetadataOnly()).thenReturn(true);
+
+    MutableCredentials credentials = new MutableCredentials(initialCredentials);
+    URI testUri = URI.create("https://spanner.googleapis.com");
+
+    validateInitialDelegatedCredentialsAreSet(credentials, testUri);
+    verify(initialCredentials).createScoped(defaultScopes);
+  }
+
+  @Test
+  public void testUpdateMutableCredentials() throws IOException {
+    setupInitialCredentials();
+    setupUpdatedCredentials();
+
+    MutableCredentials credentials = new MutableCredentials(initialCredentials, scopes);
+    URI testUri = URI.create("https://example.com");
+    Executor executor = mock(Executor.class);
+    RequestMetadataCallback callback = mock(RequestMetadataCallback.class);
+
+    validateInitialDelegatedCredentialsAreSet(credentials, testUri);
+
+    credentials.updateCredentials(updatedCredentials);
+
+    assertEquals(updatedAuthType, credentials.getAuthenticationType());
+    assertFalse(credentials.hasRequestMetadata());
+    assertFalse(credentials.hasRequestMetadataOnly());
+    assertSame(updatedMetadata, credentials.getRequestMetadata(testUri));
+    assertEquals(updatedUniverseDomain, credentials.getUniverseDomain());
+    assertEquals(updatedMetricsCredentialType, credentials.getMetricsCredentialType());
+
+    credentials.getRequestMetadata(testUri, executor, callback);
+
+    credentials.refresh();
+
+    verify(updatedScopedCredentials, times(1)).getRequestMetadata(testUri, executor, callback);
+    verify(updatedScopedCredentials, times(1)).refresh();
+  }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testCreateMutableCredentialsEmptyScopesThrowsError() {
+    new MutableCredentials(initialCredentials, Collections.emptySet());
+  }
+
+  @Test
+  public void testCreateMutableCredentialsNullCredentialsThrowsError() {
+    NullPointerException exception =
+        assertThrows(NullPointerException.class, () -> new MutableCredentials(null, scopes));
+    assertEquals("credentials must not be null", exception.getMessage());
+  }
+
+  @Test
+  public void testCreateMutableCredentialsNullScopesThrowsError() {
+    NullPointerException exception =
+        assertThrows(
+            NullPointerException.class, () -> new MutableCredentials(initialCredentials, null));
+    assertEquals("scopes must not be null", exception.getMessage());
+  }
+
+  @Test
+  public void testUpdateMutableCredentialsNullCredentialsThrowsError() throws IOException {
+    setupInitialCredentials();
+    MutableCredentials credentials = new MutableCredentials(initialCredentials, scopes);
+
+    NullPointerException exception =
+        assertThrows(NullPointerException.class, () -> credentials.updateCredentials(null));
+    assertEquals("credentials must not be null", exception.getMessage());
+  }
+
+  private void validateInitialDelegatedCredentialsAreSet(
+      MutableCredentials credentials, URI testUri) throws IOException {
+    assertEquals(initialAuthType, credentials.getAuthenticationType());
+    assertTrue(credentials.hasRequestMetadata());
+    assertTrue(credentials.hasRequestMetadataOnly());
+    assertEquals(initialMetadata, credentials.getRequestMetadata(testUri));
+    assertEquals(initialUniverseDomain, credentials.getUniverseDomain());
+    assertEquals(initialMetricsCredentialType, credentials.getMetricsCredentialType());
+  }
+
+  private void setupInitialCredentials() throws IOException {
+    when(initialCredentials.createScoped(scopes)).thenReturn(initialScopedCredentials);
+    when(initialCredentials.createScoped(Collections.emptyList()))
+        .thenReturn(initialScopedCredentials);
+    when(initialScopedCredentials.getAuthenticationType()).thenReturn(initialAuthType);
+    when(initialScopedCredentials.getRequestMetadata(any(URI.class))).thenReturn(initialMetadata);
+    when(initialScopedCredentials.getUniverseDomain()).thenReturn(initialUniverseDomain);
+    when(initialScopedCredentials.getMetricsCredentialType())
+        .thenReturn(initialMetricsCredentialType);
+    when(initialScopedCredentials.hasRequestMetadata()).thenReturn(true);
+    when(initialScopedCredentials.hasRequestMetadataOnly()).thenReturn(true);
+  }
+
+  private void setupUpdatedCredentials() throws IOException {
+    when(updatedCredentials.createScoped(scopes)).thenReturn(updatedScopedCredentials);
+    when(updatedScopedCredentials.getAuthenticationType()).thenReturn(updatedAuthType);
+    when(updatedScopedCredentials.getRequestMetadata(any(URI.class))).thenReturn(updatedMetadata);
+    when(updatedScopedCredentials.getUniverseDomain()).thenReturn(updatedUniverseDomain);
+    when(updatedScopedCredentials.getMetricsCredentialType())
+        .thenReturn(updatedMetricsCredentialType);
+    when(updatedScopedCredentials.hasRequestMetadata()).thenReturn(false);
+    when(updatedScopedCredentials.hasRequestMetadataOnly()).thenReturn(false);
+  }
+}