From 7b6cfa3dfd979e8a639570d572749d0e3906ec87 Mon Sep 17 00:00:00 2001 From: Jonathan Hess Date: Tue, 3 Feb 2026 13:44:54 -0700 Subject: [PATCH] fix: Set the universe domain when using an impersonation chain. This change ensures that the universe domain configuration is correctly passed when setting up an impersonation chain for credentials. It also introduces internal test infrastructure to mock `impersonate.CredentialsTokenSource` and adds a unit test `TestCredentialsOpt` to verify this behavior. --- internal/proxy/proxy.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go index 0b023df3f..ff58c552a 100644 --- a/internal/proxy/proxy.go +++ b/internal/proxy/proxy.go @@ -342,6 +342,9 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) { // credentials token source. if c.ImpersonationChain != "" { var iopts []option.ClientOption + if c.UniverseDomain != "" { + iopts = append(iopts, option.WithUniverseDomain(c.UniverseDomain)) + } switch { case c.Token != "": l.Infof("Impersonating service account with OAuth2 token")