From 58aaa6c6051b297a152b406c390c5a27bc568f1c Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Mon, 30 Jun 2025 19:12:03 +0000 Subject: [PATCH 01/14] L123: C-core: Support ALTS Credentials in Google Default Credentials --- L123-core-add-alts-google-call-credentials.md | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 L123-core-add-alts-google-call-credentials.md diff --git a/L123-core-add-alts-google-call-credentials.md b/L123-core-add-alts-google-call-credentials.md new file mode 100644 index 000000000..fdb810c6d --- /dev/null +++ b/L123-core-add-alts-google-call-credentials.md @@ -0,0 +1,83 @@ +# Support ALTS Credentials in Google Default Credentials + +-------------------------------------------------------------------------------- + +* Author(s): anniefrchz +* Approver: a11r +* Status: Draft +* Implemented in: C++ +* Last updated: 2025/06/30 +* Discussion at: (filled after thread exists) + +## Abstract + +This proposal outlines a change to the gRPC Core C-API to support +alts-credentials configurations within `grpc_google_default_credentials`. This +enhancement specifically allows a secondary set of channel credentials for ALTS +to be provided alongside the default credentials. + +### Background + +The existing `grpc_google_default_credentials_create` function only allowed for +the configuration of a single set of call credentials. This posed a limitation +in scenarios where a client needs to communicate with different services that +require distinct security mechanisms over the same channel. Without the ability +to handle both credential types, this process would be cumbersome or impossible +to manage on a single channel. This proposal addresses the need to support +multiple transport security types on a channel initialized with Google's default +credentials. + +### Proposal + +To maintain backward compatibility with the existing C-API, this proposal +modifies the function `grpc_google_default_credentials_create` to add a second +set of call credentials. + +```c +GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( + grpc_call_credentials* tls_credentials, + grpc_call_credentials* alts_credentials); +``` + +This new function accepts two arguments: + +1. `tls_credentials`: The primary call credentials, consistent with the + existing API. Usually. default back to the TLS connection. +2. `alts_credentials`: A secondary set of channel credentials to be used + specifically for ALTS connections. + +When a channel is created with this function, the gRPC runtime will select the +appropriate credentials based on the transport security type required for a +given connection. If the connection requires ALTS, the provided alts_credentials +will be used. For all other connection types, the default behavior is +maintained. + +This approach was decided upon after initial feedback suggested modifying the +existing API. + +## Rationale + +The primary motivation for this change is to enable seamless support for hybrid +security environments on a single gRPC channel. + +The advantages of this approach are: + +* Consolidated API: It avoids introducing a new function for a closely related + feature, keeping the API surface clean and concise. An initial review of the + pull request favored this path to avoid an unnecessary new API. +* Improved Discoverability: Developers only need to be aware of a single + function for creating Google default credentials. The optional nature of the + second parameter would make the basic use case simple while allowing for the + more advanced dual-credential scenario when needed. +* Logical Cohesion: Since the new functionality is an extension of the + existing credential creation process, incorporating it into the original + function maintains logical cohesion. The function's responsibility is + expanded rather than duplicated across multiple functions. + +## Implementation + +The implementation for this proposal has been completed and merged into the main +gRPC repository. + +* Pull Request: grpc/grpc#39770 +* Key Commit: The changes were integrated via commit ca2e8c9. From 7fe3088dde082467258b15eadc84fcb204f01e8d Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Tue, 1 Jul 2025 17:02:14 +0000 Subject: [PATCH 02/14] Incorporate initial feedback --- L123-core-add-alts-google-call-credentials.md | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/L123-core-add-alts-google-call-credentials.md b/L123-core-add-alts-google-call-credentials.md index fdb810c6d..39436a615 100644 --- a/L123-core-add-alts-google-call-credentials.md +++ b/L123-core-add-alts-google-call-credentials.md @@ -1,4 +1,4 @@ -# Support ALTS Credentials in Google Default Credentials +# Support ALTS Hard Bound Call Credentials in Google Default Credentials -------------------------------------------------------------------------------- @@ -13,19 +13,16 @@ This proposal outlines a change to the gRPC Core C-API to support alts-credentials configurations within `grpc_google_default_credentials`. This -enhancement specifically allows a secondary set of channel credentials for ALTS -to be provided alongside the default credentials. +enhancement specifically allows a secondary set of call credentials for ALTS to +be provided alongside the default credentials. ### Background -The existing `grpc_google_default_credentials_create` function only allowed for -the configuration of a single set of call credentials. This posed a limitation -in scenarios where a client needs to communicate with different services that -require distinct security mechanisms over the same channel. Without the ability -to handle both credential types, this process would be cumbersome or impossible -to manage on a single channel. This proposal addresses the need to support -multiple transport security types on a channel initialized with Google's default -credentials. +The existing `grpc_google_default_credentials_create` function allows the +configuration of a single set of call credentials. In some scenarios, a client +would want to communicate with services that support hard bound credentials over +ALTS. This proposal addresses the possibility to support this use case on a +channel initialized with Google's default credentials. ### Proposal @@ -43,14 +40,16 @@ This new function accepts two arguments: 1. `tls_credentials`: The primary call credentials, consistent with the existing API. Usually. default back to the TLS connection. -2. `alts_credentials`: A secondary set of channel credentials to be used +2. `alts_credentials`: A secondary set of call credentials to be used specifically for ALTS connections. -When a channel is created with this function, the gRPC runtime will select the -appropriate credentials based on the transport security type required for a -given connection. If the connection requires ALTS, the provided alts_credentials -will be used. For all other connection types, the default behavior is -maintained. +After a secure connection is established, the gRPC runtime identifies the +channel's transport security type, which indicates whether the underlying +channel is using a protocol like ALTS or TLS. The runtime then selects the +appropriate call credentials for that connection. If the determined transport +security type is ALTS, the provided alts_credentials will be used. For all other +transport types, the primary call_credentials are used, maintaining the default +behavior. This approach was decided upon after initial feedback suggested modifying the existing API. @@ -73,6 +72,9 @@ The advantages of this approach are: existing credential creation process, incorporating it into the original function maintains logical cohesion. The function's responsibility is expanded rather than duplicated across multiple functions. +* Cross-language support: Since wrapper languages like Python use this API, + supporting ALTS bound credentials will be straightforward by passing them as + an argument to the existing API. ## Implementation From 3f8ebd6aa4ebf9ac3fc5090def7f737b56891418 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Wed, 2 Jul 2025 17:01:28 +0000 Subject: [PATCH 03/14] Add discussion link and fix number --- L123-core-add-alts-google-call-credentials.md | 85 ------------------- 1 file changed, 85 deletions(-) delete mode 100644 L123-core-add-alts-google-call-credentials.md diff --git a/L123-core-add-alts-google-call-credentials.md b/L123-core-add-alts-google-call-credentials.md deleted file mode 100644 index 39436a615..000000000 --- a/L123-core-add-alts-google-call-credentials.md +++ /dev/null @@ -1,85 +0,0 @@ -# Support ALTS Hard Bound Call Credentials in Google Default Credentials - --------------------------------------------------------------------------------- - -* Author(s): anniefrchz -* Approver: a11r -* Status: Draft -* Implemented in: C++ -* Last updated: 2025/06/30 -* Discussion at: (filled after thread exists) - -## Abstract - -This proposal outlines a change to the gRPC Core C-API to support -alts-credentials configurations within `grpc_google_default_credentials`. This -enhancement specifically allows a secondary set of call credentials for ALTS to -be provided alongside the default credentials. - -### Background - -The existing `grpc_google_default_credentials_create` function allows the -configuration of a single set of call credentials. In some scenarios, a client -would want to communicate with services that support hard bound credentials over -ALTS. This proposal addresses the possibility to support this use case on a -channel initialized with Google's default credentials. - -### Proposal - -To maintain backward compatibility with the existing C-API, this proposal -modifies the function `grpc_google_default_credentials_create` to add a second -set of call credentials. - -```c -GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( - grpc_call_credentials* tls_credentials, - grpc_call_credentials* alts_credentials); -``` - -This new function accepts two arguments: - -1. `tls_credentials`: The primary call credentials, consistent with the - existing API. Usually. default back to the TLS connection. -2. `alts_credentials`: A secondary set of call credentials to be used - specifically for ALTS connections. - -After a secure connection is established, the gRPC runtime identifies the -channel's transport security type, which indicates whether the underlying -channel is using a protocol like ALTS or TLS. The runtime then selects the -appropriate call credentials for that connection. If the determined transport -security type is ALTS, the provided alts_credentials will be used. For all other -transport types, the primary call_credentials are used, maintaining the default -behavior. - -This approach was decided upon after initial feedback suggested modifying the -existing API. - -## Rationale - -The primary motivation for this change is to enable seamless support for hybrid -security environments on a single gRPC channel. - -The advantages of this approach are: - -* Consolidated API: It avoids introducing a new function for a closely related - feature, keeping the API surface clean and concise. An initial review of the - pull request favored this path to avoid an unnecessary new API. -* Improved Discoverability: Developers only need to be aware of a single - function for creating Google default credentials. The optional nature of the - second parameter would make the basic use case simple while allowing for the - more advanced dual-credential scenario when needed. -* Logical Cohesion: Since the new functionality is an extension of the - existing credential creation process, incorporating it into the original - function maintains logical cohesion. The function's responsibility is - expanded rather than duplicated across multiple functions. -* Cross-language support: Since wrapper languages like Python use this API, - supporting ALTS bound credentials will be straightforward by passing them as - an argument to the existing API. - -## Implementation - -The implementation for this proposal has been completed and merged into the main -gRPC repository. - -* Pull Request: grpc/grpc#39770 -* Key Commit: The changes were integrated via commit ca2e8c9. From 8c2d33aad07986ee3d90531c72c623ddec2485c2 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Wed, 2 Jul 2025 17:03:11 +0000 Subject: [PATCH 04/14] Add discussion link and fix number --- L124-core-add-alts-google-call-credentials.md | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 L124-core-add-alts-google-call-credentials.md diff --git a/L124-core-add-alts-google-call-credentials.md b/L124-core-add-alts-google-call-credentials.md new file mode 100644 index 000000000..fd85f0c6c --- /dev/null +++ b/L124-core-add-alts-google-call-credentials.md @@ -0,0 +1,85 @@ +# Support ALTS Hard Bound Call Credentials in Google Default Credentials + +-------------------------------------------------------------------------------- + +* Author(s): anniefrchz +* Approver: a11r +* Status: Draft +* Implemented in: C++ +* Last updated: 2025/06/30 +* Discussion at: https://groups.google.com/g/grpc-io/c/7rRWghiS95E/m/nENwU3BtCgAJ + +## Abstract + +This proposal outlines a change to the gRPC Core C-API to support +alts-credentials configurations within `grpc_google_default_credentials`. This +enhancement specifically allows a secondary set of call credentials for ALTS to +be provided alongside the default credentials. + +### Background + +The existing `grpc_google_default_credentials_create` function allows the +configuration of a single set of call credentials. In some scenarios, a client +would want to communicate with services that support hard bound credentials over +ALTS. This proposal addresses the possibility to support this use case on a +channel initialized with Google's default credentials. + +### Proposal + +To maintain backward compatibility with the existing C-API, this proposal +modifies the function `grpc_google_default_credentials_create` to add a second +set of call credentials. + +```c +GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( + grpc_call_credentials* tls_credentials, + grpc_call_credentials* alts_credentials); +``` + +This new function accepts two arguments: + +1. `tls_credentials`: The primary call credentials, consistent with the + existing API. Usually. default back to the TLS connection. +2. `alts_credentials`: A secondary set of call credentials to be used + specifically for ALTS connections. + +After a secure connection is established, the gRPC runtime identifies the +channel's transport security type, which indicates whether the underlying +channel is using a protocol like ALTS or TLS. The runtime then selects the +appropriate call credentials for that connection. If the determined transport +security type is ALTS, the provided alts_credentials will be used. For all other +transport types, the primary call_credentials are used, maintaining the default +behavior. + +This approach was decided upon after initial feedback suggested modifying the +existing API. + +## Rationale + +The primary motivation for this change is to enable seamless support for hybrid +security environments on a single gRPC channel. + +The advantages of this approach are: + +* Consolidated API: It avoids introducing a new function for a closely related + feature, keeping the API surface clean and concise. An initial review of the + pull request favored this path to avoid an unnecessary new API. +* Improved Discoverability: Developers only need to be aware of a single + function for creating Google default credentials. The optional nature of the + second parameter would make the basic use case simple while allowing for the + more advanced dual-credential scenario when needed. +* Logical Cohesion: Since the new functionality is an extension of the + existing credential creation process, incorporating it into the original + function maintains logical cohesion. The function's responsibility is + expanded rather than duplicated across multiple functions. +* Cross-language support: Since wrapper languages like Python use this API, + supporting ALTS bound credentials will be straightforward by passing them as + an argument to the existing API. + +## Implementation + +The implementation for this proposal has been completed and merged into the main +gRPC repository. + +* Pull Request: grpc/grpc#39770 +* Key Commit: The changes were integrated via commit ca2e8c9. From 1d45a7880133c088649f48d4112996163db75dc9 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Tue, 8 Jul 2025 15:36:56 +0000 Subject: [PATCH 05/14] Adress comments and nits --- L124-core-add-alts-google-call-credentials.md | 29 +++++++------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/L124-core-add-alts-google-call-credentials.md b/L124-core-add-alts-google-call-credentials.md index fd85f0c6c..782f311a0 100644 --- a/L124-core-add-alts-google-call-credentials.md +++ b/L124-core-add-alts-google-call-credentials.md @@ -1,12 +1,10 @@ -# Support ALTS Hard Bound Call Credentials in Google Default Credentials - +# L124: C-core: Support ALTS Hard Bound Call Credentials in Google Default Credentials -------------------------------------------------------------------------------- - * Author(s): anniefrchz -* Approver: a11r -* Status: Draft +* Approver: markdroth +* Status: In Review * Implemented in: C++ -* Last updated: 2025/06/30 +* Last updated: 2025-07-08 * Discussion at: https://groups.google.com/g/grpc-io/c/7rRWghiS95E/m/nENwU3BtCgAJ ## Abstract @@ -16,7 +14,7 @@ alts-credentials configurations within `grpc_google_default_credentials`. This enhancement specifically allows a secondary set of call credentials for ALTS to be provided alongside the default credentials. -### Background +## Background The existing `grpc_google_default_credentials_create` function allows the configuration of a single set of call credentials. In some scenarios, a client @@ -24,11 +22,10 @@ would want to communicate with services that support hard bound credentials over ALTS. This proposal addresses the possibility to support this use case on a channel initialized with Google's default credentials. -### Proposal +## Proposal -To maintain backward compatibility with the existing C-API, this proposal -modifies the function `grpc_google_default_credentials_create` to add a second -set of call credentials. +This proposal modifies the function `grpc_google_default_credentials_create` to +add a second set of call credentials. ```c GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( @@ -39,21 +36,18 @@ GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( This new function accepts two arguments: 1. `tls_credentials`: The primary call credentials, consistent with the - existing API. Usually. default back to the TLS connection. + existing API. Usually, for TLS connections. 2. `alts_credentials`: A secondary set of call credentials to be used specifically for ALTS connections. After a secure connection is established, the gRPC runtime identifies the -channel's transport security type, which indicates whether the underlying -channel is using a protocol like ALTS or TLS. The runtime then selects the +connection's transport security type, which indicates whether the underlying +connection is using a protocol like ALTS or TLS. The runtime then selects the appropriate call credentials for that connection. If the determined transport security type is ALTS, the provided alts_credentials will be used. For all other transport types, the primary call_credentials are used, maintaining the default behavior. -This approach was decided upon after initial feedback suggested modifying the -existing API. - ## Rationale The primary motivation for this change is to enable seamless support for hybrid @@ -82,4 +76,3 @@ The implementation for this proposal has been completed and merged into the main gRPC repository. * Pull Request: grpc/grpc#39770 -* Key Commit: The changes were integrated via commit ca2e8c9. From 2a9d07f631a2367cc61a2e478b57031ad753258e Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Thu, 17 Jul 2025 20:23:14 +0000 Subject: [PATCH 06/14] Rename file and fix some nits --- ...ials.md => L126-core-add-alts-google-call-credentials.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename L124-core-add-alts-google-call-credentials.md => L126-core-add-alts-google-call-credentials.md (94%) diff --git a/L124-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md similarity index 94% rename from L124-core-add-alts-google-call-credentials.md rename to L126-core-add-alts-google-call-credentials.md index 782f311a0..c9a993b04 100644 --- a/L124-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -1,5 +1,5 @@ -# L124: C-core: Support ALTS Hard Bound Call Credentials in Google Default Credentials --------------------------------------------------------------------------------- +# L126: C-core: Support ALTS Hard Bound Call Credentials in Google Default Credentials + * Author(s): anniefrchz * Approver: markdroth * Status: In Review @@ -36,7 +36,7 @@ GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( This new function accepts two arguments: 1. `tls_credentials`: The primary call credentials, consistent with the - existing API. Usually, for TLS connections. + existing API. This is usually used for TLS connections. 2. `alts_credentials`: A secondary set of call credentials to be used specifically for ALTS connections. From 766d654b8665e2fef6b15b1c3f0cb39fb9a7ef46 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Mon, 28 Jul 2025 19:16:00 +0000 Subject: [PATCH 07/14] Incorporate changes to the GoogleDefaultCredentials options --- L126-core-add-alts-google-call-credentials.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index c9a993b04..62203613a 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -48,6 +48,20 @@ security type is ALTS, the provided alts_credentials will be used. For all other transport types, the primary call_credentials are used, maintaining the default behavior. +Additionally, external customers will de able to create GoogleDefaultCredentials +by setting a GoogleDefaultCredentialsOptions value into their standard call. +For this addition, the proposed struct `GoogleDefaultCredentialsOptions` will hold +a boolean that will be default to false. Callers of the GoogleDefaultCredentials() +API will be able to set use_alts to false value, if required to indicate the +request for the underlying bound token call credentials. + +```c +struct GoogleDefaultCredentialsOptions { + bool use_alts = false; +}; +``` + + ## Rationale The primary motivation for this change is to enable seamless support for hybrid From 666cda099f283f313df7095f544987680a2289e6 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 18:46:33 +0000 Subject: [PATCH 08/14] Add details on implementation for C++ libraries --- L126-core-add-alts-google-call-credentials.md | 46 +++++++++++++++---- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index 62203613a..b5418a9ff 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -5,7 +5,8 @@ * Status: In Review * Implemented in: C++ * Last updated: 2025-07-08 -* Discussion at: https://groups.google.com/g/grpc-io/c/7rRWghiS95E/m/nENwU3BtCgAJ +* Discussion at: + https://groups.google.com/g/grpc-io/c/7rRWghiS95E/m/nENwU3BtCgAJ ## Abstract @@ -48,19 +49,48 @@ security type is ALTS, the provided alts_credentials will be used. For all other transport types, the primary call_credentials are used, maintaining the default behavior. -Additionally, external customers will de able to create GoogleDefaultCredentials -by setting a GoogleDefaultCredentialsOptions value into their standard call. -For this addition, the proposed struct `GoogleDefaultCredentialsOptions` will hold -a boolean that will be default to false. Callers of the GoogleDefaultCredentials() -API will be able to set use_alts to false value, if required to indicate the -request for the underlying bound token call credentials. +The hard-bound call credentials will be created through +`grpc_google_compute_engine_credentials_create`. This function has a reserved +argument that will allow us to inject a new structure, +`grpc_google_compute_engine_credentials_options`. By setting the appropiate +transport protocol in the form of query parameters pairs, the caller will be +able to obtain ALTS hard-bound credentials instead of the standard default call +credentials. ```c +typedef struct { + struct { + const char* param; + const char* value; + } QueryParam; + + const QueryParam* query_params; +} grpc_google_compute_engine_credentials_options; + +GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( + grpc_google_compute_engine_credentials_options* options); +``` + +Additionally, external customers for the public C++ library will de able to +create GoogleDefaultCredentials by setting a GoogleDefaultCredentialsOptions +value into their standard call. For this addition, the proposed struct +`GoogleDefaultCredentialsOptions` will hold a boolean that will be default to +false. Callers of the GoogleDefaultCredentials() API will be able to set +use_alts to false value, if required to indicate the request for the underlying +bound token call credentials. + +```c++ struct GoogleDefaultCredentialsOptions { - bool use_alts = false; + bool use_alts_call_credentials = false; }; + +std::shared_ptr GoogleDefaultCredentials( + const GoogleDefaultCredentialsOptions& options = + GoogleDefaultCredentialsOptions()); ``` +Other wrapped languages are not in scope for changes to their public API, and +further discussion is needed if an implementation is scoped. ## Rationale From 9e23f3032c4bc0fec75d8f543febe0ae57f86c67 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 20:16:13 +0000 Subject: [PATCH 09/14] Create sections per language --- L126-core-add-alts-google-call-credentials.md | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index b5418a9ff..f8fcd2649 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -25,6 +25,8 @@ channel initialized with Google's default credentials. ## Proposal +### C-Core changes + This proposal modifies the function `grpc_google_default_credentials_create` to add a second set of call credentials. @@ -50,12 +52,11 @@ transport types, the primary call_credentials are used, maintaining the default behavior. The hard-bound call credentials will be created through -`grpc_google_compute_engine_credentials_create`. This function has a reserved -argument that will allow us to inject a new structure, -`grpc_google_compute_engine_credentials_options`. By setting the appropiate -transport protocol in the form of query parameters pairs, the caller will be -able to obtain ALTS hard-bound credentials instead of the standard default call -credentials. +`grpc_google_compute_engine_credentials_create`. This function will have a +`grpc_google_compute_engine_credentials_options` parameter. By setting the +appropiate transport protocol in the form of query parameters pairs, the caller +will be able to obtain ALTS hard-bound credentials instead of the standard +default call credentials. ```c typedef struct { @@ -65,6 +66,7 @@ typedef struct { } QueryParam; const QueryParam* query_params; + int query_params_count; } grpc_google_compute_engine_credentials_options; GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( @@ -76,8 +78,10 @@ create GoogleDefaultCredentials by setting a GoogleDefaultCredentialsOptions value into their standard call. For this addition, the proposed struct `GoogleDefaultCredentialsOptions` will hold a boolean that will be default to false. Callers of the GoogleDefaultCredentials() API will be able to set -use_alts to false value, if required to indicate the request for the underlying -bound token call credentials. +use_alts_call_credentials to false value, if required to indicate the request +for the underlying bound token call credentials. + +### C++ Changes ```c++ struct GoogleDefaultCredentialsOptions { @@ -89,6 +93,8 @@ std::shared_ptr GoogleDefaultCredentials( GoogleDefaultCredentialsOptions()); ``` +### Other C-Core languages + Other wrapped languages are not in scope for changes to their public API, and further discussion is needed if an implementation is scoped. From c38532beca8b7a72a22f4c6befa3705a79d986cc Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 20:18:20 +0000 Subject: [PATCH 10/14] S/int/size_t in struct definition --- L126-core-add-alts-google-call-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index f8fcd2649..7bf1f2e17 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -66,7 +66,7 @@ typedef struct { } QueryParam; const QueryParam* query_params; - int query_params_count; + size_t query_params_count; } grpc_google_compute_engine_credentials_options; GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( From d42398ece3bc73ffb54ca07706c54a184cf4321a Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 21:10:53 +0000 Subject: [PATCH 11/14] Move header --- L126-core-add-alts-google-call-credentials.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index 7bf1f2e17..689361f5a 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -73,6 +73,8 @@ GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( grpc_google_compute_engine_credentials_options* options); ``` +### C++ Changes + Additionally, external customers for the public C++ library will de able to create GoogleDefaultCredentials by setting a GoogleDefaultCredentialsOptions value into their standard call. For this addition, the proposed struct @@ -81,8 +83,6 @@ false. Callers of the GoogleDefaultCredentials() API will be able to set use_alts_call_credentials to false value, if required to indicate the request for the underlying bound token call credentials. -### C++ Changes - ```c++ struct GoogleDefaultCredentialsOptions { bool use_alts_call_credentials = false; From 9faf191a929f6da8589ff184b80509fd829f2fb3 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 21:15:40 +0000 Subject: [PATCH 12/14] Use a boolean instead of query parameters --- L126-core-add-alts-google-call-credentials.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index 689361f5a..582735dfa 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -53,20 +53,14 @@ behavior. The hard-bound call credentials will be created through `grpc_google_compute_engine_credentials_create`. This function will have a -`grpc_google_compute_engine_credentials_options` parameter. By setting the -appropiate transport protocol in the form of query parameters pairs, the caller -will be able to obtain ALTS hard-bound credentials instead of the standard -default call credentials. +`grpc_google_compute_engine_credentials_options` parameter. The caller will be +able to obtain ALTS hard-bound credentials instead of the standard default call +credentials by toggling the corresponding flag use_alts_call_credentials in the +structure. ```c typedef struct { - struct { - const char* param; - const char* value; - } QueryParam; - - const QueryParam* query_params; - size_t query_params_count; + bool use_alts_call_credentials = false; } grpc_google_compute_engine_credentials_options; GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( From 27d887c21a1b9e40f77aba352bfb2cb8dff4eb30 Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Fri, 22 Aug 2025 21:17:44 +0000 Subject: [PATCH 13/14] Update Date --- L126-core-add-alts-google-call-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index 582735dfa..3e6778af3 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -4,7 +4,7 @@ * Approver: markdroth * Status: In Review * Implemented in: C++ -* Last updated: 2025-07-08 +* Last updated: 2025-08-22 * Discussion at: https://groups.google.com/g/grpc-io/c/7rRWghiS95E/m/nENwU3BtCgAJ From 899ad3b210487cc1965c5431a6a5b06a3464b6bc Mon Sep 17 00:00:00 2001 From: Ana Salazar Date: Mon, 25 Aug 2025 20:44:39 +0000 Subject: [PATCH 14/14] Change flag name for grpc_google_compute_engine_credentials_create --- L126-core-add-alts-google-call-credentials.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/L126-core-add-alts-google-call-credentials.md b/L126-core-add-alts-google-call-credentials.md index 3e6778af3..8105d51d4 100644 --- a/L126-core-add-alts-google-call-credentials.md +++ b/L126-core-add-alts-google-call-credentials.md @@ -55,12 +55,11 @@ The hard-bound call credentials will be created through `grpc_google_compute_engine_credentials_create`. This function will have a `grpc_google_compute_engine_credentials_options` parameter. The caller will be able to obtain ALTS hard-bound credentials instead of the standard default call -credentials by toggling the corresponding flag use_alts_call_credentials in the -structure. +credentials by toggling the corresponding flag alts_hard_bound in the structure. ```c typedef struct { - bool use_alts_call_credentials = false; + bool alts_hard_bound = false; } grpc_google_compute_engine_credentials_options; GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create(