feat: Add GCP auth login (Correctly)

[PrathameshBhagat]

Description 📣

Users can now login using just one line using GCP Auth (just like AWS Auth):

sdk.Auth().GCPAuthLogin(<machine-identity-id>);

Where machine-identity-id is the machine identity id with a GCP auth set up.

I have tried to keep it as close as possible to AWS Auth.

Last time it was my first interaction with Greptile so that PR became messy, hence created a fresh one.

I have also updated logback-classic as issues were faced as described here : #12, you can reset it back.

Demo Youtube video

https://youtu.be/fV9lB_wuZBg

Please use 2x if you feel it's a bit longer.

Please note giving the service account Service Account Token Creator permission is necessary.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Note

If running locally and not in a GCP instance, you need to provide it credentials via an environment variable named GOOGLE_APPLICATION_CREDENTIALS created from a proper service account and the service account should have
Service Account Token Creator permission to create JWT tokens.

Else if running in a GCP instance it uses credentials from service account linked to the instance and you do not need to do anything in this case but in both cases the service account should have Service Account Token Creator permissions.

Also in both cases i.e. running in a GCP instance or locally, the "machine-identity-id" provided should have a GCP Auth setup with "Token" option selected and NOT IAM, via Infisical Dashboard and added to an Infisical project .

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds GCP (Google Cloud Platform) authentication support to the Infisical Java SDK, enabling users to authenticate with a single line: sdk.Auth().GCPAuthLogin(<machine-identity-id>). The implementation mirrors the existing AWS authentication pattern for consistency. The changes include:

• AuthClient enhancement: Added a new GCPAuthLogin() method that validates the identity ID, constructs the API endpoint, and delegates to the GCP auth provider
• GCP authentication provider: New GCPAuthProvider class that leverages Google's Application Default Credentials to obtain ID tokens for authentication
• Dependency updates: Added Google Auth Library as an optional dependency and upgraded logback-classic from 1.5.6 to 1.5.13to resolve compatibility issues
• Integration testing: Added comprehensive tests to verify the authentication flow works correctly

The authentication works both locally (using GOOGLE_APPLICATION_CREDENTIALS environment variable) and on GCP instances (using attached service accounts). The implementation follows established SDK patterns with proper input validation, error handling, and token management through the existing authentication callback system.

Important Files Changed

Changed Files

Filename	Score	Overview
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Added GCPAuthLogin method following AWS auth pattern with proper validation and API integration
src/main/java/com/infisical/sdk/auth/GCPAuthProvider.java	4/5	New provider class for GCP authentication using Google Application Default Credentials and ID tokens
src/test/java/com/infisical/sdk/auth/GCPAuthIntegrationTest.java	4/5	Integration test for GCP auth with minor string comparison issue using == instead of .isEmpty()
pom.xml	4/5	Added Google Auth Library dependency and upgraded logback-classic to resolve compatibility issues

Confidence score: 4/5

• This PR is safe to merge with minimal risk as it follows established patterns and adds new functionality without breaking existing code
• Score reflects well-structured implementation following existing AWS auth patterns, proper dependency management, and comprehensive testing, but minor issues include a string comparison bug in tests and lack of documentation
• Pay close attention to the integration test file for the string comparison issue and consider adding documentation for the new GCP auth feature

Sequence Diagram

sequenceDiagram
    participant User
    participant AuthClient
    participant GCPAuthProvider
    participant GoogleCredentials
    participant IdTokenCredentials
    participant ApiClient
    participant InfisicalAPI

    User->>AuthClient: "GCPAuthLogin(identityId)"
    AuthClient->>AuthClient: "Validate identityId not null/empty"
    AuthClient->>GCPAuthProvider: "getGCPAuthInput(identityId)"
    GCPAuthProvider->>GCPAuthProvider: "Validate identityId not null/empty"
    GCPAuthProvider->>GoogleCredentials: "getApplicationDefault()"
    GoogleCredentials-->>GCPAuthProvider: "Return credentials"
    GCPAuthProvider->>IdTokenCredentials: "newBuilder().setIdTokenProvider().setTargetAudience().build()"
    IdTokenCredentials-->>GCPAuthProvider: "Return token credentials"
    GCPAuthProvider->>IdTokenCredentials: "refreshAccessToken().getTokenValue()"
    IdTokenCredentials-->>GCPAuthProvider: "Return JWT token"
    GCPAuthProvider->>GCPAuthProvider: "Create HashMap with identityId and jwt"
    GCPAuthProvider-->>AuthClient: "Return HashMap body"
    AuthClient->>ApiClient: "post('/api/v1/auth/gcp-auth/login', body, MachineIdentityCredential.class)"
    ApiClient->>InfisicalAPI: "POST /api/v1/auth/gcp-auth/login"
    InfisicalAPI-->>ApiClient: "Return MachineIdentityCredential"
    ApiClient-->>AuthClient: "Return credential"
    AuthClient->>AuthClient: "onAuthenticate.accept(credential.getAccessToken())"
    AuthClient-->>User: "Authentication complete"

Loading

_{4 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[PrathameshBhagat]

@MaygoDev @DanielHougaard @fangpenlin @sidwebworks Can you please review this PR ??