We recently launched mTLS bound tokens for Agentic workloads. However, it was discovered that the python-genai library is incompatible with mTLS and therefore incompatible with bound tokens. The problem is multi-folds:
- Unlike python-pubsub or python-aiplatform which are gapic based, the python-genai library is "handwritten" and is missing logic for "automatically enabling mTLS" when workload identity is detected. (https://github.com/googleapis/python-pubsub/pull/1566/files)
- python-genai uses hard-coded non-mTLS endpoints in several locations (example in _api_client.py), a potential source of 401 rejections.
- python-genai cannot use "AuthorizedSession" from the core google python api lib (https://github.com/googleapis/google-auth-library-python/blob/main/google/auth/transport/requests.py) due to Async requirements. Currently designed to support httpx and aiohttp, which are also overridable by end user.
We need a comprehensive plan to address these gaps to make python-genai compatible with mTLS.
We recently launched mTLS bound tokens for Agentic workloads. However, it was discovered that the python-genai library is incompatible with mTLS and therefore incompatible with bound tokens. The problem is multi-folds:
We need a comprehensive plan to address these gaps to make python-genai compatible with mTLS.