Summary of the issue
It looks like the public helper mtls.has_default_client_cert_source() is missing a check for the CLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATH env var.
Because of this gap, if a user relies on that env var for their cert config, we end up in a weird split-brain situation: HTTP correctly thinks mTLS is enabled, but gRPC evaluates it to false.
Proposed fix
We should update the public helper to use the centralized _get_cert_config_path method (or similar unified logic) so both transports stay in sync and evaluate the exact same mTLS state.
Affected Files
google/auth/transport/mtls.py
Summary of the issue
It looks like the public helper
mtls.has_default_client_cert_source()is missing a check for theCLOUDSDK_CONTEXT_AWARE_CERTIFICATE_CONFIG_FILE_PATHenv var.Because of this gap, if a user relies on that env var for their cert config, we end up in a weird split-brain situation: HTTP correctly thinks mTLS is enabled, but gRPC evaluates it to false.
Proposed fix
We should update the public helper to use the centralized
_get_cert_config_pathmethod (or similar unified logic) so both transports stay in sync and evaluate the exact same mTLS state.Affected Files
google/auth/transport/mtls.py