fix(core): honor GOOGLE_CLOUD_LOCATION for Vertex AI with API key#28142
fix(core): honor GOOGLE_CLOUD_LOCATION for Vertex AI with API key#28142abhay-codes07 wants to merge 2 commits into
Conversation
When authenticating to Vertex AI with an API key, @google/genai forces the global endpoint and silently ignores GOOGLE_CLOUD_LOCATION, routing requests to aiplatform.googleapis.com regardless of the configured region. This breaks data-residency expectations for users who select a specific location, while /about still displays the configured region. Derive the regional endpoint (https://<location>-aiplatform.googleapis.com/) when a Vertex AI API key is used together with a non-global GOOGLE_CLOUD_LOCATION. Explicit overrides (config base URL and GOOGLE_VERTEX_BASE_URL) continue to take precedence, and the API-key-less project/location flow is unchanged. Fixes google-gemini#27984
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
📊 PR Size: size/M
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where Vertex AI requests were defaulting to the global endpoint when authenticated via an API key, effectively ignoring the user-configured GOOGLE_CLOUD_LOCATION. By explicitly deriving the regional endpoint and passing it to the generator, the change ensures that data residency requirements are met while maintaining backward compatibility for existing configurations. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for deriving regional endpoints from the GOOGLE_CLOUD_LOCATION environment variable when using Vertex AI with an API key, along with comprehensive unit tests. The reviewer suggests validating the GOOGLE_CLOUD_LOCATION value against a regular expression to prevent potential URL injection or malformed URL issues.
| const location = process.env['GOOGLE_CLOUD_LOCATION']?.trim(); | ||
| if (location && location !== 'global') { | ||
| baseUrl = `https://${location}-aiplatform.googleapis.com/`; | ||
| } |
There was a problem hiding this comment.
Constructing the baseUrl by directly interpolating the GOOGLE_CLOUD_LOCATION environment variable without validation can lead to malformed URLs or potential URL injection vulnerabilities if the environment variable contains unexpected characters (e.g., @, :, /, ?, #).
Since Google Cloud region names strictly consist of alphanumeric characters and hyphens (e.g., us-central1, europe-west3), we should validate the location string against a regular expression (like /^[a-z0-9-]+$/i) before using it to construct the URL. If the location is invalid, we should throw an error to fail fast and prevent security or routing issues.
const location = process.env['GOOGLE_CLOUD_LOCATION']?.trim();
if (location && location !== 'global') {
if (!/^[a-z0-9-]+$/i.test(location)) {
throw new Error('Invalid GOOGLE_CLOUD_LOCATION: ' + location);
}
baseUrl = 'https://' + location + '-aiplatform.googleapis.com/';
}
|
@googlebot I signed it! |
1 participant
Summary
When authenticating to Vertex AI with an API key (
GOOGLE_API_KEY), the configuredGOOGLE_CLOUD_LOCATIONis silently ignored and requests are routed to the global endpoint (https://aiplatform.googleapis.com/) instead of the regional one.The root cause is in
@google/genai: as soon as an API key is present it clears project/location and short-circuits to the global endpoint. Meanwhile/aboutstill displays the configured region and/modellists region-appropriate models, so the displayed configuration and the actual routing disagree with no warning. For users who pick Vertex AI specifically for data residency (e.g. GDPR), this undermines exactly the expectation that made them set a location.Fix
In
createContentGenerator, when a Vertex AI API key is used together with a non-globalGOOGLE_CLOUD_LOCATION, derive the regional endpoint ourselves and pass it explicitly viahttpOptions.baseUrl(which overrides the library's global default throughpatchHttpOptions):This matches the exact URL format the library already uses for the project/location flow.
Precedence is preserved:
baseUrl) andGOOGLE_VERTEX_BASE_URLstill take priority and are left untouched.location === 'global'and an unset location fall back to the existing global behavior (no regression).Testing
Added unit tests in
contentGenerator.test.tscovering:GOOGLE_CLOUD_LOCATION(bothhttpOptions.baseUrlandapiEndpoint)globallocation → global endpoint (no derivedbaseUrl)baseUrlGOOGLE_VERTEX_BASE_URLtaking precedence over the derived endpointAll 59 tests in the file pass;
eslintandtsc --noEmitare clean for the affected package.Fixes #27984