googleapis · vverman · Apr 22, 2026 · Apr 22, 2026
@@ -21,7 +21,6 @@ import {log as makeLog} from 'google-logging-utils';
 
 import {PRODUCT_NAME, USER_AGENT} from '../shared.cjs';
 import {
-  isRegionalAccessBoundaryEnabled,
   RegionalAccessBoundaryData,
   RegionalAccessBoundaryManager,
 } from './regionalaccessboundary';
@@ -237,7 +236,6 @@ export abstract class AuthClient
   eagerRefreshThresholdMillis = DEFAULT_EAGER_REFRESH_THRESHOLD_MILLIS;
   forceRefreshOnFailure = false;
   universeDomain = DEFAULT_UNIVERSE;
-  regionalAccessBoundaryEnabled: boolean;
   protected regionalAccessBoundaryManager: RegionalAccessBoundaryManager;
 
   /**
@@ -261,7 +259,6 @@ export abstract class AuthClient
     this.quotaProjectId = options.get('quota_project_id');
     this.credentials = options.get('credentials') ?? {};
     this.universeDomain = options.get('universe_domain') ?? DEFAULT_UNIVERSE;
-    this.regionalAccessBoundaryEnabled = isRegionalAccessBoundaryEnabled();
 
     // Shared client options
     this.transporter = opts.transporter ?? new Gaxios(opts.transporterOptions);

@@ -85,4 +85,4 @@ export class IdTokenClient extends OAuth2Client {
       return payload.exp * 1000;
     }
   }
-}
+}
@@ -18,13 +18,13 @@ import {log as makeLog} from 'google-logging-utils';
 const log = makeLog('auth');
 
 export const SERVICE_ACCOUNT_LOOKUP_ENDPOINT =
-  'https://staging-iamcredentials.sandbox.googleapis.com/v1/projects/-/serviceAccounts/{service_account_email}/allowedLocations';
+  'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{service_account_email}/allowedLocations';
 
 export const WORKLOAD_LOOKUP_ENDPOINT =
-  'https://staging-iamcredentials.sandbox.googleapis.com/v1/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/allowedLocations';
+  'https://iamcredentials.googleapis.com/v1/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/allowedLocations';
 
 export const WORKFORCE_LOOKUP_ENDPOINT =
-  'https://staging-iamcredentials.sandbox.googleapis.com/v1/locations/global/workforcePools/{pool_id}/allowedLocations';
+  'https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/{pool_id}/allowedLocations';
 
 /**
  * RAB is considered valid for 6 hours.
@@ -63,19 +63,6 @@ export interface RegionalAccessBoundaryData {
   encodedLocations: string;
 }
 
-export function isRegionalAccessBoundaryEnabled() {
-  const rabEnabled =
-    process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
-  if (rabEnabled === undefined || rabEnabled === null) {
-    return false;
-  }
-  const lowercasedRabEnabled = rabEnabled.toLowerCase();
-  if (lowercasedRabEnabled === 'true' || rabEnabled === '1') {
-    return true;
-  }
-  return false;
-}
-
 export interface RegionalAccessBoundaryManagerOptions {
   transporter: Gaxios;
   getLookupUrl: () => Promise<string | null>;
@@ -94,10 +81,6 @@ export class RegionalAccessBoundaryManager {
     this.options = options;
   }
 
-  get enabled(): boolean {
-    return isRegionalAccessBoundaryEnabled();
-  }
-
   /**
    * @internal
    */
@@ -122,7 +105,7 @@ export class RegionalAccessBoundaryManager {
     url: string | URL | undefined,
     headers: Headers,
   ): string | null {
-    if (!this.enabled || !this.options.isUniverseDomainDefault()) {
+    if (!this.options.isUniverseDomainDefault()) {
       return null;
     }
 
@@ -275,4 +258,4 @@ export class RegionalAccessBoundaryManager {
 
     return regionalAccessBoundaryData;
   }
-}
+}
@@ -336,4 +336,4 @@ export function getWorkloadPoolIdFromAudience(audience: string): string | null {
       /\/workloadIdentityPools\/(?<workloadPool>[^/]+)\/providers\//,
     )?.groups?.workloadPool ?? null
   );
-}
+}
@@ -417,14 +417,6 @@ describe('AuthClient', () => {
           );
       }
 
-      beforeEach(() => {
-        process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
-      });
-
-      afterEach(() => {
-        delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
-      });
-
       it('should trigger asynchronous background refresh and not block', async () => {
         const compute = new Compute({
           serviceAccountEmail: SERVICE_ACCOUNT_EMAIL,
@@ -613,4 +605,4 @@ describe('AuthClient', () => {
       });
     });
   });
-});
+});
@@ -162,11 +162,20 @@ describe('BaseExternalAccountClient', () => {
     '//iam.googleapis.com/projects_suffix/123456',
   ];
 
+  let sandbox: sinon.SinonSandbox;
+  beforeEach(() => {
+    sandbox = sinon.createSandbox();
+    sandbox
+      .stub(BaseExternalAccountClient.prototype, 'getRegionalAccessBoundaryUrl')
+      .resolves(undefined);
+  });
+
   afterEach(() => {
     nock.cleanAll();
     if (clock) {
       clock.restore();
     }
+    sandbox.restore();
   });
 
   describe('Constructor', () => {
@@ -2723,11 +2732,13 @@ describe('BaseExternalAccountClient', () => {
     };
 
     beforeEach(() => {
-      process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
+      (
+        BaseExternalAccountClient.prototype
+          .getRegionalAccessBoundaryUrl as sinon.SinonStub
+      ).restore();
     });
 
     afterEach(() => {
-      delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
       nock.cleanAll();
     });
 

@@ -17,7 +17,7 @@ import {describe, it, beforeEach, afterEach} from 'mocha';
 import {BASE_PATH, HEADERS, HOST_ADDRESS} from 'gcp-metadata';
 import * as nock from 'nock';
 import * as sinon from 'sinon';
-import { Compute, gcpMetadata } from '../src';
+import {Compute, gcpMetadata} from '../src';
 import {
   SERVICE_ACCOUNT_LOOKUP_ENDPOINT,
   RegionalAccessBoundaryData,
@@ -48,6 +48,9 @@ describe('compute', () => {
   let compute: Compute;
   beforeEach(() => {
     compute = new Compute();
+    sandbox
+      .stub(Compute.prototype, 'getRegionalAccessBoundaryUrl')
+      .resolves(undefined);
   });
 
   afterEach(() => {
@@ -266,8 +269,6 @@ describe('compute', () => {
     assert.fail('failed to throw');
   });
   describe('regional access boundaries', () => {
-    let sandbox: sinon.SinonSandbox;
-
     const MOCK_ACCESS_TOKEN = 'abc123';
     const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`;
     const EXPECTED_RAB_DATA: RegionalAccessBoundaryData = {
@@ -284,7 +285,7 @@ describe('compute', () => {
         .get(tokenPath)
         .reply(
           200,
-          { access_token: MOCK_ACCESS_TOKEN, expires_in: 10000 },
+          {access_token: MOCK_ACCESS_TOKEN, expires_in: 10000},
           HEADERS,
         );
     }
@@ -304,13 +305,12 @@ describe('compute', () => {
     }
 
     beforeEach(() => {
-      sandbox = sinon.createSandbox();
-      process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
+      (
+        Compute.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub
+      ).restore();
     });
 
     afterEach(() => {
-      delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
-      sandbox.restore();
       nock.cleanAll();
     });
 

@@ -909,11 +909,9 @@ describe('ExternalAccountAuthorizedUserClient', () => {
 
     beforeEach(() => {
       clock.restore();
-      process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
     });
 
     afterEach(() => {
-      delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
       nock.cleanAll();
     });
 

@@ -74,8 +74,15 @@ interface ImpersonatedCredentialRequest {
 }
 
 describe('impersonated', () => {
+  beforeEach(() => {
+    sinon
+      .stub(Impersonated.prototype, 'getRegionalAccessBoundaryUrl')
+      .resolves(undefined);
+  });
+
   afterEach(() => {
     nock.cleanAll();
+    sinon.restore();
   });
 
   it('should request impersonated credentials on first request', async () => {
@@ -596,7 +603,6 @@ describe('impersonated', () => {
   });
 
   describe('regional access boundaries', () => {
-    let sandbox: sinon.SinonSandbox;
     const TARGET_PRINCIPAL_EMAIL = 'target@project.iam.gserviceaccount.com';
     const MOCK_ACCESS_TOKEN = 'abc123';
     const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`;
@@ -621,13 +627,12 @@ describe('impersonated', () => {
     }
 
     beforeEach(() => {
-      sandbox = sinon.createSandbox();
-      process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
+      (
+        Impersonated.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub
+      ).restore();
     });
 
     afterEach(() => {
-      delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
-      sandbox.restore();
       nock.cleanAll();
     });
 

@@ -72,6 +72,9 @@ describe('jwt', () => {
     json = createJSON();
     jwt = new JWT();
     sandbox = sinon.createSandbox();
+    sandbox
+      .stub(JWT.prototype, 'getRegionalAccessBoundaryUrl')
+      .resolves(undefined);
   });
 
   afterEach(() => {
@@ -1250,7 +1253,6 @@ describe('jwt', () => {
   });
 
   describe('regional access boundaries', () => {
-    let sandbox: sinon.SinonSandbox;
     const SERVICE_ACCOUNT_EMAIL = 'service-account@example.com';
     const MOCK_ACCESS_TOKEN = 'abc123';
     const MOCK_AUTH_HEADER = `Bearer ${MOCK_ACCESS_TOKEN}`;
@@ -1276,13 +1278,10 @@ describe('jwt', () => {
     }
 
     beforeEach(() => {
-      sandbox = sinon.createSandbox();
-      process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'] = 'true';
+      (JWT.prototype.getRegionalAccessBoundaryUrl as sinon.SinonStub).restore();
     });
 
     afterEach(() => {
-      delete process.env['GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT'];
-      sandbox.restore();
       nock.cleanAll();
     });
 
@@ -1293,9 +1292,9 @@ describe('jwt', () => {
         scopes: ['http://bar', 'http://foo'],
         subject: 'bar@subjectaccount.com',
       });
-      jwt.credentials = { refresh_token: 'jwt-placeholder' };
+      jwt.credentials = {refresh_token: 'jwt-placeholder'};
 
-      const tokenScope = createGTokenMock({ access_token: MOCK_ACCESS_TOKEN });
+      const tokenScope = createGTokenMock({access_token: MOCK_ACCESS_TOKEN});
 
       let rabLookupCalled = false;
       const rabScope = setupRegionalAccessBoundaryNock(SERVICE_ACCOUNT_EMAIL);
@@ -1335,7 +1334,7 @@ describe('jwt', () => {
         email: SERVICE_ACCOUNT_EMAIL,
         key: keys.private,
       });
-      jwt.credentials = { refresh_token: 'jwt-placeholder' };
+      jwt.credentials = {refresh_token: 'jwt-placeholder'};
 
       const lookupUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
         '{service_account_email}',
@@ -1379,13 +1378,13 @@ describe('jwt', () => {
       const jwt = new JWT({
         email: SERVICE_ACCOUNT_EMAIL,
         key: PEM_CONTENTS,
-        additionalClaims: { target_audience: 'some-audience' },
+        additionalClaims: {target_audience: 'some-audience'},
       });
 
       // Setup a RAB lookup mock that should NOT be hit
       const rabScope = setupRegionalAccessBoundaryNock(SERVICE_ACCOUNT_EMAIL);
 
-      const scope = createGTokenMock({ id_token: 'id-token-abc' });
+      const scope = createGTokenMock({id_token: 'id-token-abc'});
       const headers = await jwt.getRequestHeaders(
         'https://pubsub.googleapis.com',
       );
-Original file line number
+Diff line change
@@ Expand Up / @@ -85,4 +85,4 @@ export class IdTokenClient extends OAuth2Client { @@
           return payload.exp * 1000;
         }
       }
-    }
+    }