Add Anthropic GCP WIF support#6153
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Google Cloud Workload Identity Federation (WIF) support for Anthropic authentication in hackbot-runtime, allowing long-running agents to authenticate without a static ANTHROPIC_API_KEY by continuously refreshing a Google-signed OIDC identity token on disk and pointing ANTHROPIC_IDENTITY_TOKEN_FILE at it.
Changes:
- Add
google-authdependency to support fetching GCP identity tokens. - Introduce
hackbot_runtime.anthropic_wifto fetch/write/refresh the identity token file on a background thread. - Invoke Anthropic WIF configuration during runtime startup (both sync and async entrypoints).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| libs/hackbot-runtime/pyproject.toml | Adds google-auth dependency needed for GCP identity token retrieval. |
| libs/hackbot-runtime/hackbot_runtime/runtime.py | Calls WIF configuration during startup to set ANTHROPIC_IDENTITY_TOKEN_FILE for downstream SDK/CLI usage. |
| libs/hackbot-runtime/hackbot_runtime/anthropic_wif.py | Implements WIF enablement checks, identity token fetch, atomic file writes, and periodic refresh loop. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Introduce GCP Workload Identity Federation support for Anthropic by adding an anthropic_wif module that fetches Google-signed OIDC identity tokens, writes them to a private file, and keeps them refreshed on a background thread (atomic writes, configurable refresh interval). Runtime now calls anthropic_wif.configure() before agent startup to wire token file into ANTHROPIC_IDENTITY_TOKEN_FILE; configure is a no-op when federation is not enabled or when ANTHROPIC_API_KEY is set. Also add google-auth to dependencies.
suhaibmujahid
force-pushed
the
wif-anthropic-auth
branch
from
c7dd5fc to
956800e
Compare
marco-c
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce GCP Workload Identity Federation support for Anthropic by adding an anthropic_wif module that fetches Google-signed OIDC identity tokens, writes them to a private file, and keeps them refreshed on a background thread (atomic writes, configurable refresh interval). Runtime now calls anthropic_wif.configure() before agent startup to wire token file into ANTHROPIC_IDENTITY_TOKEN_FILE; configure is a no-op when federation is not enabled or when ANTHROPIC_API_KEY is set.
Resolves #6150