test(auth): Integration test for Service Account with Audience (#3260)

sai-sunder-s · web-flow · commit 284d68b81bb5 · 2025-09-08T20:02:11.000Z
* test(auth): Integration test for Service Account with Audience

* lint
diff --git a/src/auth/integration-tests/src/lib.rs b/src/auth/integration-tests/src/lib.rs
@@ -87,6 +87,61 @@ pub async fn service_account() -> anyhow::Result<()> {
     Ok(())
 }
 
+pub async fn service_account_with_audience() -> anyhow::Result<()> {
+    let project = std::env::var("GOOGLE_CLOUD_PROJECT").expect("GOOGLE_CLOUD_PROJECT not set");
+
+    // Create a SecretManager client. When running on GCB, this loads MDS
+    // credentials for our `integration-test-runner` service account.
+    let client = SecretManagerService::builder().build().await?;
+
+    // Load the ADC json for the principal under test, in this case, a
+    // service account.
+    let response = client
+        .access_secret_version()
+        .set_name(format!(
+            "projects/{project}/secrets/test-sa-creds-json/versions/latest"
+        ))
+        .send()
+        .await?;
+    let sa_json = response
+        .payload
+        .expect("missing payload in test-sa-creds-json response")
+        .data;
+
+    let sa_json: serde_json::Value = serde_json::from_slice(&sa_json)?;
+
+    // Create credentials for the principal under test, but with an audience.
+    let creds = ServiceAccountCredentialsBuilder::new(sa_json)
+        .with_access_specifier(
+            auth::credentials::service_account::AccessSpecifier::from_audience(
+                "https://secretmanager.googleapis.com/",
+            ),
+        )
+        .build()?;
+
+    // Construct a new SecretManager client using the credentials.
+    let client = SecretManagerService::builder()
+        .with_credentials(creds)
+        .build()
+        .await?;
+
+    // Access a secret, which only this principal has permissions to do.
+    let response = client
+        .access_secret_version()
+        .set_name(format!(
+            "projects/{project}/secrets/test-sa-creds-secret/versions/latest"
+        ))
+        .send()
+        .await?;
+    let secret = response
+        .payload
+        .expect("missing payload in test-sa-creds-secret response")
+        .data;
+    assert_eq!(secret, "service_account");
+
+    Ok(())
+}
+
 pub async fn impersonated() -> anyhow::Result<()> {
     let project = std::env::var("GOOGLE_CLOUD_PROJECT").expect("GOOGLE_CLOUD_PROJECT not set");
 
diff --git a/src/auth/integration-tests/tests/driver.rs b/src/auth/integration-tests/tests/driver.rs
@@ -22,6 +22,12 @@ mod driver {
         auth_integration_tests::service_account().await
     }
 
+    #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+    #[serial_test::serial]
+    async fn run_service_account_with_audience() -> anyhow::Result<()> {
+        auth_integration_tests::service_account_with_audience().await
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     #[serial_test::serial]
     async fn run_impersonated() -> anyhow::Result<()> {
