feat: Add regional endpoint support to SecretManagerClient

google-genai-bot · copybara-github · commit 19ac679aeacc · 2026-04-03T19:34:02.000-07:00
The `SecretManagerClient` now accepts a `location` parameter to connect to a regional Secret Manager endpoint.

PiperOrigin-RevId: 894356924
diff --git a/src/google/adk/integrations/secret_manager/secret_client.py b/src/google/adk/integrations/secret_manager/secret_client.py
@@ -42,13 +42,16 @@ def __init__(
       self,
       service_account_json: Optional[str] = None,
       auth_token: Optional[str] = None,
+      location: Optional[str] = None,
   ):
     """Initializes the SecretManagerClient.
 
     Args:
         service_account_json:  The content of a service account JSON keyfile (as
           a string), not the file path.  Must be valid JSON.
         auth_token: An existing Google Cloud authorization token.
+        location: The Google Cloud location (region) to use for the Secret
+          Manager service. If not provided, the global endpoint is used.
 
     Raises:
         ValueError: If neither `service_account_json` nor `auth_token` is
@@ -92,8 +95,15 @@ def __init__(
       )
 
     self._credentials = credentials
+
+    client_options = None
+    if location:
+      client_options = {
+          "api_endpoint": f"secretmanager.{location}.rep.googleapis.com"
+      }
+
     self._client = secretmanager.SecretManagerServiceClient(
-        credentials=self._credentials
+        credentials=self._credentials, client_options=client_options
     )
 
   def get_secret(self, resource_name: str) -> str:
diff --git a/tests/unittests/integrations/secret_manager/test_secret_client.py b/tests/unittests/integrations/secret_manager/test_secret_client.py
@@ -50,7 +50,7 @@ def test_init_with_default_credentials(
         scopes=["https://www.googleapis.com/auth/cloud-platform"]
     )
     mock_secret_manager_client.assert_called_once_with(
-        credentials=mock_credentials
+        credentials=mock_credentials, client_options=None
     )
     assert client._credentials == mock_credentials
     assert client._client == mock_secret_manager_client.return_value
@@ -80,7 +80,7 @@ def test_init_with_service_account_json(
         json.loads(service_account_json)
     )
     mock_secret_manager_client.assert_called_once_with(
-        credentials=mock_credentials
+        credentials=mock_credentials, client_options=None
     )
     assert client._credentials == mock_credentials
     assert client._client == mock_secret_manager_client.return_value
@@ -106,11 +106,38 @@ def test_init_with_auth_token(self, mock_secret_manager_client):
       # Verify
       mock_credentials.refresh.assert_called_once()
       mock_secret_manager_client.assert_called_once_with(
-          credentials=mock_credentials
+          credentials=mock_credentials, client_options=None
       )
       assert client._credentials == mock_credentials
       assert client._client == mock_secret_manager_client.return_value
 
+  @patch("google.cloud.secretmanager.SecretManagerServiceClient")
+  @patch(
+      "google.adk.integrations.secret_manager.secret_client.default_service_credential"
+  )
+  def test_init_with_location(
+      self, mock_default_service_credential, mock_secret_manager_client
+  ):
+    """Test initialization with a specific location."""
+    # Setup
+    mock_credentials = MagicMock()
+    mock_default_service_credential.return_value = (
+        mock_credentials,
+        "test-project",
+    )
+    location = "us-central1"
+
+    # Execute
+    SecretManagerClient(location=location)
+
+    # Verify
+    mock_secret_manager_client.assert_called_once_with(
+        credentials=mock_credentials,
+        client_options={
+            "api_endpoint": f"secretmanager.{location}.rep.googleapis.com"
+        },
+    )
+
   @patch(
       "google.adk.integrations.secret_manager.secret_client.default_service_credential"
   )
