googleapis · vverman · Jun 10, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
@@ -15,6 +15,7 @@
 import {GaxiosError} from 'gaxios';
 import * as gcpMetadata from 'gcp-metadata';
 
+import {AuthClient} from './authclient';
 import {CredentialRequest, Credentials} from './credentials';
 import {
   GetTokenResponse,
@@ -38,8 +39,10 @@ export interface ComputeOptions extends OAuth2ClientOptions {
 }
 
 export class Compute extends OAuth2Client {
+  private static readonly EMAIL_REGEX = /^[^@]+@[^@]+\.[^@]+$/;
   readonly serviceAccountEmail: string;
   scopes: string[];
+  private isNonEmailAccount = false;
 
   /**
    * Google Compute Engine service account credentials.
@@ -141,14 +144,20 @@ export class Compute extends OAuth2Client {
 
   /**
    * Returns the regional access boundary lookup URL for the GCE instance.
-   * This implementation resolves the default service account email of the GCE
-   * instance to construct the lookup endpoint.
+   * This implementation resolves the service account email of the GCE
+   * instance to construct the lookup endpoint. If the resolved email is invalid
+   * or not found, it returns `null` to skip the regional access boundary check.
    *
-   * @return The regional access boundary URL string.
+   * @return The regional access boundary URL string, or null if regional access
+   * boundary checks should be skipped.
    * @internal
    */
-  public async getRegionalAccessBoundaryUrl(): Promise<string> {
+  public async getRegionalAccessBoundaryUrl(): Promise<string | null> {
     const email = await this.resolveServiceAccountEmail();
+    if (email === null) {
+      // This credential corresponds to a non-email account; skip RAB lookup.
+      return null;
+    }
     const regionalAccessBoundaryUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
       '{service_account_email}',
       encodeURIComponent(email),
@@ -159,17 +168,35 @@ export class Compute extends OAuth2Client {
   /**
    * Resolves the service account email. If the email is set to 'default',
    * it fetches the email from the GCE metadata server.
-   * @returns A promise that resolves with the service account email.
+   * @returns A promise that resolves with the service account email,
+   *  or null if MDS returns an invalid email format
    */
-  private async resolveServiceAccountEmail(): Promise<string> {
+  private async resolveServiceAccountEmail(): Promise<string | null> {
+    if (this.isNonEmailAccount) {
+      return null;
+    }
+
     if (this.serviceAccountEmail !== 'default') {
       // If a specific email is provided, return it directly.
       return this.serviceAccountEmail;
     }
 
     // Otherwise, fetch the default email from the metadata server.
     try {
-      return await gcpMetadata.instance('service-accounts/default/email');
+      const email = await gcpMetadata.instance<string>(
+        'service-accounts/default/email',
+      );
+
+      // If the metadata server returned an non-email format, log a warning only once.
+      if (!email || !Compute.EMAIL_REGEX.test(email)) {
+        AuthClient.log.info(
+          `RegionalAccessBoundary: Service account email "${email}" is not in a valid email format. Skipping regional access boundary lookup.`,
+        );
+        this.isNonEmailAccount = true;
+        return null;
+      }
+
+      return email;
     } catch (e) {
       throw new Error(
         'RegionalAccessBoundary: Failed to retrieve default service account email from metadata server.',

@@ -370,5 +370,92 @@ describe('compute', () => {
         /RegionalAccessBoundary: Failed to retrieve default service account email from metadata server./,
       );
     });
+
+    it('should return null from getRegionalAccessBoundaryUrl if email returned from metadata server is not a valid email format', async () => {
+      const compute = new Compute();
+      const fakeEmail = 'not-a-valid-email';
+      const metadataStub = sandbox.stub(gcpMetadata, 'instance');
+      metadataStub.callThrough();
+      metadataStub
+        .withArgs('service-accounts/default/email')
+        .resolves(fakeEmail);
+
+      const url = await compute.getRegionalAccessBoundaryUrl();
+      assert.strictEqual(url, null);
+    });
+
+    it('should return valid URL from getRegionalAccessBoundaryUrl if custom serviceAccountEmail is set', async () => {
+      const email = 'custom-sa@example.com';
+      const compute = new Compute({serviceAccountEmail: email});
+      const url = await compute.getRegionalAccessBoundaryUrl();
+      const expectedUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
+        '{service_account_email}',
+        encodeURIComponent(email),
+      );
+      assert.strictEqual(url, expectedUrl);
+    });
+
+    it('should return valid URL from getRegionalAccessBoundaryUrl when MDS returns a valid default service account email', async () => {
+      const compute = new Compute();
+      const fakeEmail = 'fake-default-sa@developer.gserviceaccount.com';
+      const metadataStub = sandbox.stub(gcpMetadata, 'instance');
+      metadataStub.callThrough();
+      metadataStub
+        .withArgs('service-accounts/default/email')
+        .resolves(fakeEmail);
+
+      const url = await compute.getRegionalAccessBoundaryUrl();
+      const expectedUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
+        '{service_account_email}',
+        encodeURIComponent(fakeEmail),
+      );
+      assert.strictEqual(url, expectedUrl);
+    });
+
+    it('should NOT trigger asynchronous RAB refresh and NOT attach RAB header if email from metadata server is not a valid email format', async () => {
+      const compute = new Compute();
+      const fakeEmail = 'not-a-valid-email';
+      const metadataStub = sandbox.stub(gcpMetadata, 'instance');
+      metadataStub.callThrough();
+      metadataStub
+        .withArgs('service-accounts/default/email')
+        .resolves(fakeEmail);
+
+      const tokenScope = setupTokenNock('default');
+
+      const url = 'https://pubsub.googleapis.com';
+      const headers = await compute.getRequestHeaders(url);
+
+      // Headers should NOT have RAB
+      assert.strictEqual(headers.get('x-allowed-locations'), null);
+
+      // Wait a little bit for any background task to run
+      await new Promise(r => setTimeout(r, 500));
+
+      // Regional access boundary data should remain null
+      assert.strictEqual(compute.getRegionalAccessBoundary(), null);
+
+      tokenScope.done();
+    });
+
+    it('should cache the service account email and avoid repeated metadata server calls when email is invalid', async () => {
+      const compute = new Compute();
+      const fakeEmail = 'not-a-valid-email';
+      const metadataStub = sandbox.stub(gcpMetadata, 'instance');
+      metadataStub.callThrough();
+      metadataStub
+        .withArgs('service-accounts/default/email')
+        .resolves(fakeEmail);
+
+      // Call it the first time
+      let url = await compute.getRegionalAccessBoundaryUrl();
+      assert.strictEqual(url, null);
+      assert.strictEqual(metadataStub.callCount, 1);
+
+      // Call it a second time - should use cache and not call MDS again
+      url = await compute.getRegionalAccessBoundaryUrl();
+      assert.strictEqual(url, null);
+      assert.strictEqual(metadataStub.callCount, 1);
+    });
   });
 });