feat(cli): fall back to Application Default Credentials for secrets commands

[Aaron ("AJ") Steers (aaronsteers)]

Summary

Previously, airbyte-cdk secrets list and airbyte-cdk secrets fetch required the GCP_GSM_CREDENTIALS environment variable (service account JSON) and raised a ValueError if it was missing. This change makes the env var optional by falling back to Application Default Credentials (ADC) when it's not set.

This means engineers can use gcloud auth application-default login to authenticate, without needing to export a service account key.

When GCP_GSM_CREDENTIALS is set, behavior is unchanged (service account credentials are used).

Review & Testing Checklist for Human

• Verify ADC error UX: When neither GCP_GSM_CREDENTIALS nor ADC credentials are available, the GCP client will raise google.auth.exceptions.DefaultCredentialsError instead of the previous ValueError with a specific message. Confirm this error is clear enough, or decide if a try/except wrapper with a friendlier message is warranted.
• Test the ADC path locally: Run gcloud auth application-default login, unset GCP_GSM_CREDENTIALS, and verify airbyte-cdk secrets list source-pokeapi works with your user credentials.
• Confirm service account path unchanged: With GCP_GSM_CREDENTIALS set, verify secrets list / secrets fetch still work as before.

Notes

• Requested by: Aaron ("AJ") Steers (@aaronsteers)
• Link to Devin run

---

Summary by CodeRabbit

• Bug Fixes

  • Improved GCP Secret Manager authentication: accepts credentials from an environment variable or falls back to Application Default Credentials (ADC). Previously required the environment variable; now ADC is attempted and a clearer, actionable error is shown if authentication fails.

• Documentation

  • Expanded guidance on authenticating with GCP Secret Manager, including the new ADC fallback and recommended remediation steps.

Important

Auto-merge enabled.

This PR is set to merge automatically when all requirements are met.

Note

Auto-merge may have been disabled. Please check the PR status to confirm.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1770336012-adc-fallback-secrets#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1770336012-adc-fallback-secrets

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /prerelease - Triggers a prerelease publish with default arguments
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📚 Show Repo Guidance

Helpful Resources

• CDK API Reference

📝 Edit this welcome message.

[Copilot]

Pull request overview

This PR enables the airbyte-cdk secrets CLI commands to use Google Cloud's Application Default Credentials (ADC) as a fallback when the GCP_GSM_CREDENTIALS environment variable is not set, removing the previous hard requirement for service account JSON credentials.

Changes:

• Modified _get_gsm_secrets_client() to make GCP_GSM_CREDENTIALS optional
• Added fallback to ADC when environment variable is not set
• Enhanced function docstring to document the new authentication flow

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[Aaron ("AJ") Steers (aaronsteers)]

Devin, lint failed.

[coderabbitai]

📝 Walkthrough

Walkthrough

Authentication for the GSM secrets client now prefers GCP_GSM_CREDENTIALS service-account JSON when present, otherwise attempts Application Default Credentials (ADC) via SecretManagerServiceClient() and raises a descriptive ValueError on DefaultCredentialsError. Wdyt?

Changes

Cohort / File(s)	Summary
GSM Secrets Authentication Logic airbyte_cdk/cli/airbyte_cdk/_secrets.py	Refactored _get_gsm_secrets_client to: use from_service_account_info(json.loads(...)) when GCP_GSM_CREDENTIALS is set; otherwise try ADC via SecretManagerServiceClient(); catch DefaultCredentialsError and raise a ValueError with guidance. Docstring and import guards updated.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant SecretsFn as _get_gsm_secrets_client
    participant GSMClient as SecretManagerServiceClient
    participant Auth as GoogleAuth/ADC

    Caller->>SecretsFn: request GSM client
    SecretsFn->>SecretsFn: read GCP_GSM_CREDENTIALS env
    alt GCP_GSM_CREDENTIALS set
        SecretsFn->>GSMClient: from_service_account_info(credentials_json)
        GSMClient-->>SecretsFn: client instance
    else GCP_GSM_CREDENTIALS unset
        SecretsFn->>GSMClient: SecretManagerServiceClient() (ADC)
        GSMClient->>Auth: resolve ADC
        alt ADC available
            Auth-->>GSMClient: credentials
            GSMClient-->>SecretsFn: client instance
        else ADC missing -> DefaultCredentialsError
            GSMClient-->>SecretsFn: raises DefaultCredentialsError
            SecretsFn-->>Caller: raise ValueError (advise set env or run gcloud auth)
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: adding Application Default Credentials (ADC) fallback support for GCP secrets commands, making the GCP_GSM_CREDENTIALS environment variable optional.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1770336012-adc-fallback-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@airbyte_cdk/cli/airbyte_cdk/_secrets.py`:
- Around line 441-444: Remove the redundant typing.cast wrapping the
SecretManagerServiceClient instantiation: replace the return of return
cast("secretmanager.SecretManagerServiceClient",
secretmanager.SecretManagerServiceClient()) with a direct return
secretmanager.SecretManagerServiceClient(); also remove the now-unused cast
import if it becomes unused by other code. This targets the return cast(...)
expression that constructs secretmanager.SecretManagerServiceClient.

🧹 Nitpick comments (1)

airbyte_cdk/cli/airbyte_cdk/_secrets.py (1)

432-444: Consider a user-friendly hint when ADC also fails.

Previously, a missing GCP_GSM_CREDENTIALS raised a ValueError with a clear message telling the user what to do. Now, if neither the env var nor ADC is configured, the user will get a raw google.auth.exceptions.DefaultCredentialsError, which can be cryptic.

Would it be worth wrapping the ADC client construction in a try/except to catch DefaultCredentialsError and re-raise with a friendlier message — something like "Set GCP_GSM_CREDENTIALS or run gcloud auth application-default login"? Totally optional, but it could save folks some head-scratching, wdyt?

💡 Possible approach

+    try:
+        return secretmanager.SecretManagerServiceClient()
+    except Exception as ex:
+        raise ValueError(
+            "GCP credentials not found. Either set the GCP_GSM_CREDENTIALS "
+            "environment variable with service account JSON, or run "
+            "'gcloud auth application-default login' to configure Application "
+            "Default Credentials."
+        ) from ex
-    return cast(
-        "secretmanager.SecretManagerServiceClient",
-        secretmanager.SecretManagerServiceClient(),
-    )

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 3 additional findings in Devin Review.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@airbyte_cdk/cli/airbyte_cdk/_secrets.py`:
- Line 39: Move the top-level import of google.auth.exceptions into the existing
guarded try/except that imports google.cloud.secretmanager_v1 so the module can
import even when google-auth isn't installed; specifically, modify the try block
that defines secretmanager to also import google.auth.exceptions (and set a
fallback None in the except ImportError) so references inside
_get_gsm_secrets_client and the early if not secretmanager guard remain safe and
the helpful runtime error is preserved.

[github-actions]

PyTest Results (Fast)

3 855 tests  ±0   3 843 ✅ ±0   6m 31s ⏱️ +3s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit af7197b. ± Comparison against base commit ef8df7b.

[Aaron ("AJ") Steers (aaronsteers)]

❤️

Works now even without the GCP_GSM_CRENTIALS env var set! 🙌