Skip to content

Add -cprof_service_account_json_file flag for explicit credential path #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lupuletic wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add -cprof_service_account_json_file flag for explicit credential path #76

lupuletic wants to merge 1 commit into from

Conversation

@lupuletic
Copy link

@lupuletic lupuletic commented Oct 29, 2025
edited
Loading

Title:

Add -cprof_service_account_json_file flag for explicit credential path

Description:

This PR adds a new flag -cprof_service_account_json_file that allows users to specify a custom service account JSON file path for authentication.

Motivation

When running the profiler on-premises or in environments where the application already uses GOOGLE_APPLICATION_CREDENTIALS for a different Google Cloud service, there's no way to
provide separate credentials for the profiler.

Changes

  • Added new flag: -cprof_service_account_json_file

Example Usage

-agentpath:/opt/cprof/profiler_java_agent.so=-cprof_service=myapp,-cprof_service_account_json_file=/etc/gcp/profiler-credentials.json

Use Cases

  • Running on-premises where Application Default Credentials aren't available
  • Application already uses GOOGLE_APPLICATION_CREDENTIALS for Google Retail API, Vertex AI, or other services
  • Multiple Google Cloud services need different credentials in the same process

Testing

Tested with a Java application that uses separate credentials for:

  • Google Retail API (via GOOGLE_APPLICATION_CREDENTIALS)
  • Cloud Profiler (via new -cprof_service_account_json_file flag)
image

@lupuletic lupuletic marked this pull request as draft October 29, 2025 18:22
@lupuletic lupuletic force-pushed the add-service-account-json-file-flag branch from 58219c1 to a62cbf0 Compare October 29, 2025 18:57
@lupuletic
Use ServiceAccountJWTAccessCredentials for thread-safe credential loa…
ae73536 
…ding

Replace environment variable manipulation with direct use of gRPC's
ServiceAccountJWTAccessCredentials API. This eliminates race conditions
from concurrent credential initialization and avoids global state pollution.

Changes:
- Add ReadFileContents() helper with path validation
- Read service account JSON directly and create JWT credentials
- Compose SSL and call credentials using CompositeChannelCredentials
- Preserve ADC fallback when flag not specified
- Remove all setenv/unsetenv/getenv calls

This ensures thread-safe credential initialization and follows gRPC
best practices for service account authentication.
@lupuletic lupuletic force-pushed the add-service-account-json-file-flag branch from a62cbf0 to ae73536 Compare October 29, 2025 18:58
@lupuletic lupuletic marked this pull request as ready for review October 30, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lupuletic