potiuk opened a new pull request, #67507: URL: https://github.com/apache/airflow/pull/67507
When the Google connection supplies credentials via `keyfile_dict`, `CloudSqlProxyRunner._get_credential_parameters` writes the credentials file with [`open(path, "w")` at `cloud_sql.py:629`](https://github.com/apache/airflow/blob/main/providers/google/src/airflow/providers/google/cloud/hooks/cloud_sql.py#L629). That inherits the process umask (typically `0o644`), leaving the service-account private key world-readable on shared worker hosts — including any other process on the same machine that can read the worker's temp directory. Reported as F-004 in the [`apache/tooling-agents` L3 providers/google sweep `b1aec75`](https://github.com/apache/tooling-agents/issues/34). ## Change Use `os.open(..., O_WRONLY | O_CREAT | O_TRUNC, 0o600)` followed by `os.fdopen` so the file is created with restrictive permissions atomically. Matches the explicit-mode handling already used for the SSL temp files in the same module. ## Test plan - [x] Added `test_credentials_file_from_keyfile_dict_is_chmod_0600` — writes credentials via the real code path, reads `Path.stat().st_mode`, asserts `stat.S_IMODE == 0o600`. - [x] `prek run ruff` clean on touched files. - [x] `breeze run mypy` clean on the source file. - [x] Existing `test_cloud_sql_proxy_runner_keeps_key_path_credentials_with_iam_login` still passes (no behaviour change on the `key_path` branch). --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
