Eng 1912 - support Google Service Account auth

[Vagoasdf]

Ticket ENG-1912

Description Of Changes

Implements a new authentication strategy for Google Cloud Service Account credentials, enabling Fides to authenticate HTTP requests to Google Cloud APIs using service account keys (JWT-based OAuth2 flow).

Contains:

• Service Account Authentication: Uses project_id, client_email, and private_key to generate OAuth2 access tokens via Google's service account flow
• Token Caching: Caches access tokens in connection secrets and automatically refreshes them 10 minutes before expiration to minimize API calls and improve performance
• Configurable Scopes: Supports custom OAuth2 scopes per connection (defaults to cloud-platform scope)

Code Changes

Core Implementation

src/fides/api/service/authentication/authentication_strategy_google_cloud_service_account.py (322 lines)

• Token generation using google-auth library
• Token caching with expiration management
• Private key normalization utility
• Centralized error handling

Configuration and registration

• Added GoogleCloudServiceAccountConfiguration schema with configurable scopes to src/fides/api/schemas/saas/strategy_configuration.py
• Registered strategy in SupportedAuthenticationStrategies enum
• Added explicit dependency google-auth==2.48.0 for Google OAuth2 authentication

Tests

• Strategy registration and configuration tests
• Required field validation tests
• Credential construction tests (including optional fields)
• Private key normalization tests
• Token caching behavior tests
• Token generation and error handling tests (network, auth, validation errors)
• Header preservation tests

Steps to Confirm

1. Set up a Google Services integration with https://github.com/ethyca/fidesplus/pull/3020
2. Enter the Google Services found on 1password
3. Use the Test connection request. It should be able to connect with Google Services without problems (Ej: No 403 or 500 Error being thrown)

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Feb 4, 2026 1:31pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		Feb 4, 2026 1:31pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a new authentication strategy for Google Cloud Service Account credentials, enabling Fides to authenticate HTTP requests to Google Cloud APIs using JWT-based OAuth2 flow.

Key Changes:

• Implements GoogleCloudServiceAccountAuthenticationStrategy with service account key-based authentication
• Generates and caches OAuth2 access tokens with automatic refresh 10 minutes before expiration
• Supports configurable OAuth2 scopes per connection (defaults to cloud-platform scope)
• Handles private key normalization for common copy/paste issues (escaped newlines, missing trailing newlines)
• Provides comprehensive error handling with user-friendly messages for network, authentication, and validation errors
• Includes thorough test coverage for registration, validation, token caching, generation, and error scenarios

Implementation Quality:

• Clean separation of concerns with dedicated methods for each step (validation, token generation, caching, error handling)
• Good use of constants for required fields, default values, and buffer times
• Consistent with existing authentication strategy patterns in the codebase
• Well-documented with clear docstrings

Confidence Score: 4/5

• This PR is safe to merge with only minor style improvements recommended
• The implementation is solid with comprehensive test coverage and follows existing patterns. The two style suggestions are minor: standardizing datetime usage and making a method static per custom instructions. No logical errors or security issues were found.
• No files require special attention

Important Files Changed

Filename	Overview
src/fides/api/service/authentication/authentication_strategy_google_cloud_service_account.py	Implements Google Cloud Service Account authentication with JWT-based OAuth2, token caching, and comprehensive error handling
src/fides/api/schemas/saas/strategy_configuration.py	Adds GoogleCloudServiceAccountConfiguration schema with optional configurable scopes
tests/ops/service/authentication/test_authentication_strategy_google_cloud_service_account.py	Comprehensive test coverage for strategy registration, validation, token caching, generation, and error handling

[greptile-apps]

_{3 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Inconsistent datetime usage - this uses datetime.now(timezone.utc) while the OAuth2 base strategy uses datetime.utcnow() in authentication_strategy_oauth2_base.py:48. Consider standardizing on datetime.now(timezone.utc) throughout for timezone-aware datetimes.

[Vagoasdf]

Would this be on the scope of this PR? datetime.utcnow()is deprecated on python 3.12 and higher. Could be its own task

[greptile-apps]

You're absolutely right that datetime.utcnow() is deprecated in Python 3.12+ and should be replaced with datetime.now(timezone.utc). However, this specific change would be outside the scope of this PR.

This PR is focused on implementing Google Service Account authentication, and the code you're adding correctly uses the modern datetime.now(timezone.utc) approach. Updating the existing OAuth2 base strategy would be a separate concern that affects other authentication strategies beyond just the Google one being added here.

This would indeed be better suited as its own task to:

1. Audit all uses of datetime.utcnow() across the codebase
2. Update them consistently to datetime.now(timezone.utc)
3. Ensure no regressions in existing authentication flows

Your new code is following the correct modern pattern, so there's no issue with the implementation in this PR.

[greptile-apps]

get_configuration_model() should be a static method as it doesn't require instance state.

Suggested change

	@staticmethod
	def get_configuration_model() -> StrategyConfiguration:
	"""Return the configuration model for this strategy."""
	return GoogleCloudServiceAccountConfiguration # type: ignore
	@staticmethod
	def get_configuration_model() -> StrategyConfiguration:
	"""Return the configuration model for this strategy."""
	return GoogleCloudServiceAccountConfiguration # type: ignore

Context Used: Rule from dashboard - Use static methods instead of instance methods when the method doesn't require instance state. (source)

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[Vagoasdf]

Greptile got a little bit confused here 😅

[greptile-apps]

You're absolutely right! I see the confusion - the method is already marked as @staticmethod on line 321. My apologies for the incorrect comment. The method is properly implemented as a static method since it doesn't need access to instance state.

[galvana]

Approved! I just left one comment