grpc 1.78.1 → 1.80.0

data/src/core/client_channel/subchannel_stream_client.cc

@@ -49,15 +49,13 @@ using ::grpc_event_engine::experimental::EventEngine;
 //
 
 SubchannelStreamClient::SubchannelStreamClient(
-    RefCountedPtr<ConnectedSubchannel> connected_subchannel,
-    grpc_pollset_set* interested_parties,
+    WeakRefCountedPtr<Subchannel> subchannel,
     std::unique_ptr<CallEventHandler> event_handler, const char* tracer)
     : InternallyRefCounted<SubchannelStreamClient>(tracer),
-      connected_subchannel_(std::move(connected_subchannel)),
-      interested_parties_(interested_parties),
+      subchannel_(std::move(subchannel)),
       tracer_(tracer),
       call_allocator_(MakeRefCounted<CallArenaAllocator>(
-          connected_subchannel_->args()
+          subchannel_->args()
               .GetObject<ResourceQuota>()
               ->memory_quota()
               ->CreateMemoryAllocator(
@@ -72,7 +70,7 @@ SubchannelStreamClient::SubchannelStreamClient(
               .set_jitter(SUBCHANNEL_STREAM_RECONNECT_JITTER)
               .set_max_backoff(Duration::Seconds(
                   SUBCHANNEL_STREAM_RECONNECT_MAX_BACKOFF_SECONDS))),
-      event_engine_(connected_subchannel_->args().GetObject<EventEngine>()) {
+      event_engine_(subchannel_->args().GetObject<EventEngine>()) {
   if (GPR_UNLIKELY(tracer_ != nullptr)) {
     LOG(INFO) << tracer_ << " " << this << ": created SubchannelStreamClient";
   }
@@ -114,13 +112,18 @@ void SubchannelStreamClient::StartCallLocked() {
   if (event_handler_ != nullptr) {
     event_handler_->OnCallStartLocked(this);
   }
-  call_state_ = MakeOrphanable<CallState>(Ref(), interested_parties_);
+  call_state_ = MakeOrphanable<CallState>(Ref(), subchannel_->pollset_set());
   if (GPR_UNLIKELY(tracer_ != nullptr)) {
     LOG(INFO) << tracer_ << " " << this
               << ": SubchannelStreamClient created CallState "
               << call_state_.get();
   }
-  call_state_->StartCallLocked();
+  bool call_started = call_state_->StartCallLocked();
+  // If we could not create the call due to the subchannel loosing its
+  // connection, then manually destroy the CallState object, and don't
+  // do any retry.  The caller will recreate the SubchannelStreamClient
+  // when the connection is reestablished.
+  if (!call_started) delete call_state_.release();
 }
 
 void SubchannelStreamClient::StartRetryTimerLocked() {
@@ -188,9 +191,8 @@ void SubchannelStreamClient::CallState::Orphan() {
   Cancel();
 }
 
-void SubchannelStreamClient::CallState::StartCallLocked() {
-  SubchannelCall::Args args = {
-      subchannel_stream_client_->connected_subchannel_,
+bool SubchannelStreamClient::CallState::StartCallLocked() {
+  Subchannel::CreateCallArgs args = {
       &pollent_,
       gpr_get_cycle_counter(),  // start_time
       Timestamp::InfFuture(),   // deadline
@@ -198,19 +200,21 @@ void SubchannelStreamClient::CallState::StartCallLocked() {
       &call_combiner_,
   };
   grpc_error_handle error;
-  call_ = SubchannelCall::Create(std::move(args), &error).release();
+  call_ = subchannel_stream_client_->subchannel_->CreateCall(args, &error)
+              .release();
+  // If there was no connection to start a call on, signal the caller
+  // that we didn't create the call.
+  if (call_ == nullptr) return false;
   // Register after-destruction callback.
   GRPC_CLOSURE_INIT(&after_call_stack_destruction_, AfterCallStackDestruction,
                     this, grpc_schedule_on_exec_ctx);
   call_->SetAfterCallStackDestroy(&after_call_stack_destruction_);
-  // Check if creation failed.
   if (!error.ok() || subchannel_stream_client_->event_handler_ == nullptr) {
     LOG(ERROR) << "SubchannelStreamClient " << subchannel_stream_client_.get()
                << " CallState " << this << ": error creating "
-               << "stream on subchannel (" << StatusToString(error)
-               << "); will retry";
+               << "stream on subchannel (" << error << "); will retry";
     CallEndedLocked(/*retry=*/true);
-    return;
+    return true;
   }
   // Initialize payload and batch.
   batch_.payload = &payload_;
@@ -222,7 +226,6 @@ void SubchannelStreamClient::CallState::StartCallLocked() {
   send_initial_metadata_.Set(
       HttpPathMetadata(),
       subchannel_stream_client_->event_handler_->GetPathLocked());
-  GRPC_CHECK(error.ok());
   payload_.send_initial_metadata.send_initial_metadata =
       &send_initial_metadata_;
   batch_.send_initial_metadata = true;
@@ -271,12 +274,13 @@ void SubchannelStreamClient::CallState::StartCallLocked() {
   recv_trailing_metadata_batch_.recv_trailing_metadata = true;
   // Start recv_trailing_metadata batch.
   StartBatch(&recv_trailing_metadata_batch_);
+  return true;
 }
 
 void SubchannelStreamClient::CallState::StartBatchInCallCombiner(
     void* arg, grpc_error_handle /*error*/) {
   auto* batch = static_cast<grpc_transport_stream_op_batch*>(arg);
-  auto* call = static_cast<SubchannelCall*>(batch->handler_private.extra_arg);
+  auto* call = static_cast<Subchannel::Call*>(batch->handler_private.extra_arg);
   call->StartTransportStreamOpBatch(batch);
 }
 

data/src/core/client_channel/subchannel_stream_client.h

@@ -98,10 +98,9 @@ class SubchannelStreamClient final
   // string being the first part of the log message.
   // Does not take ownership of interested_parties; the caller is responsible
   // for ensuring that it will outlive the SubchannelStreamClient.
-  SubchannelStreamClient(
-      RefCountedPtr<ConnectedSubchannel> connected_subchannel,
-      grpc_pollset_set* interested_parties,
-      std::unique_ptr<CallEventHandler> event_handler, const char* tracer);
+  SubchannelStreamClient(WeakRefCountedPtr<Subchannel> subchannel,
+                         std::unique_ptr<CallEventHandler> event_handler,
+                         const char* tracer);
 
   ~SubchannelStreamClient() override;
 
@@ -117,7 +116,8 @@ class SubchannelStreamClient final
 
     void Orphan() override;
 
-    void StartCallLocked()
+    // Returns false if there was no connection to start a call on.
+    GRPC_MUST_USE_RESULT bool StartCallLocked()
         ABSL_EXCLUSIVE_LOCKS_REQUIRED(&SubchannelStreamClient::mu_);
 
    private:
@@ -149,7 +149,7 @@ class SubchannelStreamClient final
     // The streaming call to the backend. Always non-null.
     // Refs are tracked manually; when the last ref is released, the
     // CallState object will be automatically destroyed.
-    SubchannelCall* call_;
+    Subchannel::Call* call_;
 
     grpc_transport_stream_op_batch_payload payload_;
     grpc_transport_stream_op_batch batch_;
@@ -194,8 +194,7 @@ class SubchannelStreamClient final
   void StartRetryTimerLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(&mu_);
   void OnRetryTimer() ABSL_LOCKS_EXCLUDED(mu_);
 
-  RefCountedPtr<ConnectedSubchannel> connected_subchannel_;
-  grpc_pollset_set* interested_parties_;  // Do not own.
+  WeakRefCountedPtr<Subchannel> subchannel_;
   const char* tracer_;
   RefCountedPtr<CallArenaAllocator> call_allocator_;
 
@@ -210,7 +209,7 @@ class SubchannelStreamClient final
   BackOff retry_backoff_ ABSL_GUARDED_BY(mu_);
   std::optional<grpc_event_engine::experimental::EventEngine::TaskHandle>
       retry_timer_handle_ ABSL_GUARDED_BY(mu_);
-  // A raw pointer will suffice since connected_subchannel_ holds a copy of the
+  // A raw pointer will suffice since subchannel_ holds a copy of the
   // ChannelArgs which holds an std::shared_ptr of the EventEngine.
   grpc_event_engine::experimental::EventEngine* event_engine_
       ABSL_GUARDED_BY(mu_);

data/src/core/client_channel/subchannel_stream_limiter.cc

@@ -0,0 +1,76 @@
+//
+// Copyright 2026 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include "src/core/client_channel/subchannel_stream_limiter.h"
+
+namespace grpc_core {
+
+namespace {
+
+uint64_t MakeStreamCounts(uint32_t max_concurrent_streams,
+                          uint32_t rpcs_in_flight) {
+  return (static_cast<uint64_t>(max_concurrent_streams) << 32) +
+         static_cast<int64_t>(rpcs_in_flight);
+}
+
+uint32_t GetMaxConcurrentStreams(uint64_t stream_counts) {
+  return static_cast<uint32_t>(stream_counts >> 32);
+}
+
+uint32_t GetRpcsInFlight(uint64_t stream_counts) {
+  return static_cast<uint32_t>(stream_counts & 0xffffffffu);
+}
+
+}  // namespace
+
+SubchannelStreamLimiter::SubchannelStreamLimiter(
+    uint32_t max_concurrent_streams)
+    : stream_counts_(MakeStreamCounts(max_concurrent_streams, 0)) {}
+
+bool SubchannelStreamLimiter::SetMaxConcurrentStreams(
+    uint32_t max_concurrent_streams) {
+  uint64_t prev_stream_counts = stream_counts_.load(std::memory_order_acquire);
+  uint32_t rpcs_in_flight;
+  do {
+    rpcs_in_flight = GetRpcsInFlight(prev_stream_counts);
+  } while (!stream_counts_.compare_exchange_weak(
+      prev_stream_counts,
+      MakeStreamCounts(max_concurrent_streams, rpcs_in_flight),
+      std::memory_order_acq_rel, std::memory_order_acquire));
+  return rpcs_in_flight < max_concurrent_streams;
+}
+
+bool SubchannelStreamLimiter::GetQuotaForRpc() {
+  uint64_t prev_stream_counts = stream_counts_.load(std::memory_order_acquire);
+  do {
+    const uint32_t rpcs_in_flight = GetRpcsInFlight(prev_stream_counts);
+    const uint32_t max_concurrent_streams =
+        GetMaxConcurrentStreams(prev_stream_counts);
+    if (rpcs_in_flight == max_concurrent_streams) return false;
+  } while (!stream_counts_.compare_exchange_weak(
+      prev_stream_counts, prev_stream_counts + MakeStreamCounts(0, 1),
+      std::memory_order_acq_rel, std::memory_order_acquire));
+  return true;
+}
+
+bool SubchannelStreamLimiter::ReturnQuotaForRpc() {
+  const uint64_t prev_stream_counts =
+      stream_counts_.fetch_sub(MakeStreamCounts(0, 1));
+  return GetRpcsInFlight(prev_stream_counts) ==
+         GetMaxConcurrentStreams(prev_stream_counts);
+}
+
+}  // namespace grpc_core

data/src/core/client_channel/subchannel_stream_limiter.h

@@ -0,0 +1,51 @@
+//
+// Copyright 2026 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_SRC_CORE_CLIENT_CHANNEL_SUBCHANNEL_STREAM_LIMITER_H
+#define GRPC_SRC_CORE_CLIENT_CHANNEL_SUBCHANNEL_STREAM_LIMITER_H
+
+#include <atomic>
+#include <cstdint>
+
+namespace grpc_core {
+
+class SubchannelStreamLimiter {
+ public:
+  explicit SubchannelStreamLimiter(uint32_t max_concurrent_streams);
+
+  // Sets the maximum number of concurrent streams.
+  // Returns true if the current number of RPCs in flight is less than the new
+  // maximum.
+  bool SetMaxConcurrentStreams(uint32_t max_concurrent_streams);
+
+  // Attempts to get quota for a new RPC.
+  // Returns true if quota was acquired, false otherwise.
+  bool GetQuotaForRpc();
+
+  // Returns quota for a completed RPC.
+  // Returns true if the connection is no longer above its quota.
+  bool ReturnQuotaForRpc();
+
+ private:
+  // First 32 bits are the MAX_CONCURRENT_STREAMS value reported by
+  // the transport.
+  // Last 32 bits are the current number of RPCs in flight on the connection.
+  std::atomic<uint64_t> stream_counts_{0};
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_CLIENT_CHANNEL_SUBCHANNEL_STREAM_LIMITER_H

data/src/core/config/config_vars.cc

@@ -97,6 +97,8 @@ ABSL_FLAG(absl::optional<double>, grpc_experimental_memory_pressure_threshold,
           "EXPERIMENTAL: The threshold for the memory quota pressure "
           "controller. This is a value between 0 and 1, and must always be "
           "greater than the target pressure.");
+ABSL_FLAG(absl::optional<int32_t>, grpc_chaotic_good_metrics_update_interval_ms,
+          {}, "Interval in milliseconds for updating metrics in chaotic good.");
 
 namespace grpc_core {
 
@@ -109,6 +111,10 @@ ConfigVars::ConfigVars(const Overrides& overrides)
           LoadConfig(FLAGS_grpc_channelz_max_orphaned_nodes,
                      "GRPC_CHANNELZ_MAX_ORPHANED_NODES",
                      overrides.channelz_max_orphaned_nodes, 0)),
+      chaotic_good_metrics_update_interval_ms_(
+          LoadConfig(FLAGS_grpc_chaotic_good_metrics_update_interval_ms,
+                     "GRPC_CHAOTIC_GOOD_METRICS_UPDATE_INTERVAL_MS",
+                     overrides.chaotic_good_metrics_update_interval_ms, 100)),
       experimental_target_memory_pressure_(
           LoadConfig(FLAGS_grpc_experimental_target_memory_pressure,
                      "GRPC_EXPERIMENTAL_TARGET_MEMORY_PRESSURE",
@@ -194,6 +200,8 @@ std::string ConfigVars::ToString() const {
       ", experimental_target_memory_pressure: ",
       ExperimentalTargetMemoryPressure(),
       ", experimental_memory_pressure_threshold: ",
-      ExperimentalMemoryPressureThreshold());
+      ExperimentalMemoryPressureThreshold(),
+      ", chaotic_good_metrics_update_interval_ms: ",
+      ChaoticGoodMetricsUpdateIntervalMs());
 }
 }  // namespace grpc_core

data/src/core/config/config_vars.h

@@ -36,6 +36,7 @@ class GPR_DLL ConfigVars {
   struct Overrides {
     absl::optional<int32_t> client_channel_backup_poll_interval_ms;
     absl::optional<int32_t> channelz_max_orphaned_nodes;
+    absl::optional<int32_t> chaotic_good_metrics_update_interval_ms;
     absl::optional<double> experimental_target_memory_pressure;
     absl::optional<double> experimental_memory_pressure_threshold;
     absl::optional<bool> enable_fork_support;
@@ -133,6 +134,10 @@ class GPR_DLL ConfigVars {
   double ExperimentalMemoryPressureThreshold() const {
     return experimental_memory_pressure_threshold_;
   }
+  // Interval in milliseconds for updating metrics in chaotic good.
+  int32_t ChaoticGoodMetricsUpdateIntervalMs() const {
+    return chaotic_good_metrics_update_interval_ms_;
+  }
 
  private:
   explicit ConfigVars(const Overrides& overrides);
@@ -140,6 +145,7 @@ class GPR_DLL ConfigVars {
   static std::atomic<ConfigVars*> config_vars_;
   int32_t client_channel_backup_poll_interval_ms_;
   int32_t channelz_max_orphaned_nodes_;
+  int32_t chaotic_good_metrics_update_interval_ms_;
   double experimental_target_memory_pressure_;
   double experimental_memory_pressure_threshold_;
   bool enable_fork_support_;

data/src/core/credentials/call/call_creds_registry.h

@@ -37,6 +37,8 @@ class CallCredsConfig : public RefCounted<CallCredsConfig> {
  public:
   virtual absl::string_view type() const = 0;
 
+  virtual absl::string_view proto_type() const = 0;
+
   virtual bool Equals(const CallCredsConfig& other) const = 0;
 
   virtual std::string ToString() const = 0;
@@ -47,11 +49,15 @@ class CallCredsFactory final {
  public:
   virtual ~CallCredsFactory() {}
   virtual absl::string_view type() const = delete;
-  virtual RefCountedPtr<CallCredsConfig> ParseConfig(
+  virtual RefCountedPtr<const CallCredsConfig> ParseConfig(
       const Json& config, const JsonArgs& args,
       ValidationErrors* errors) const = delete;
+  virtual absl::string_view proto_type() const = delete;
+  virtual RefCountedPtr<const CallCredsConfig> ParseProto(
+      absl::string_view serialized_proto,
+      ValidationErrors* errors) const = delete;
   virtual RefCountedPtr<T> CreateCallCreds(
-      RefCountedPtr<CallCredsConfig> config) const = delete;
+      RefCountedPtr<const CallCredsConfig> config) const = delete;
 };
 
 template <>
@@ -59,18 +65,21 @@ class CallCredsFactory<grpc_call_credentials> {
  public:
   virtual ~CallCredsFactory() {}
   virtual absl::string_view type() const = 0;
-  virtual RefCountedPtr<CallCredsConfig> ParseConfig(
+  virtual RefCountedPtr<const CallCredsConfig> ParseConfig(
       const Json& config, const JsonArgs& args,
       ValidationErrors* errors) const = 0;
+  virtual absl::string_view proto_type() const = 0;
+  virtual RefCountedPtr<const CallCredsConfig> ParseProto(
+      absl::string_view serialized_proto, ValidationErrors* errors) const = 0;
   virtual RefCountedPtr<grpc_call_credentials> CreateCallCreds(
-      RefCountedPtr<CallCredsConfig> config) const = 0;
+      RefCountedPtr<const CallCredsConfig> config) const = 0;
 };
 
 template <typename T = grpc_call_credentials>
 class CallCredsRegistry {
  private:
   using FactoryMap =
-      std::map<absl::string_view, std::unique_ptr<CallCredsFactory<T>>>;
+      std::map<absl::string_view, std::shared_ptr<CallCredsFactory<T>>>;
 
  public:
   static_assert(std::is_base_of<grpc_call_credentials, T>::value,
@@ -81,43 +90,63 @@ class CallCredsRegistry {
    public:
     void RegisterCallCredsFactory(
         std::unique_ptr<CallCredsFactory<T>> factory) {
-      absl::string_view type = factory->type();
-      factories_[type] = std::move(factory);
+      std::shared_ptr<CallCredsFactory<T>> shared_factory(std::move(factory));
+      absl::string_view type = shared_factory->type();
+      if (!type.empty()) name_map_[type] = shared_factory;
+      absl::string_view proto_type = shared_factory->proto_type();
+      if (!proto_type.empty()) proto_map_[proto_type] = shared_factory;
     }
+
     CallCredsRegistry Build() {
-      return CallCredsRegistry<T>(std::move(factories_));
+      return CallCredsRegistry<T>(std::move(name_map_), std::move(proto_map_));
     }
 
    private:
-    FactoryMap factories_;
+    FactoryMap name_map_;
+    FactoryMap proto_map_;
   };
 
   bool IsSupported(absl::string_view type) const {
-    return factories_.find(type) != factories_.end();
+    return name_map_.find(type) != name_map_.end();
   }
 
-  RefCountedPtr<CallCredsConfig> ParseConfig(absl::string_view type,
-                                             const Json& config,
-                                             const JsonArgs& args,
-                                             ValidationErrors* errors) const {
-    const auto it = factories_.find(type);
-    if (it == factories_.cend()) return nullptr;
+  RefCountedPtr<const CallCredsConfig> ParseConfig(
+      absl::string_view type, const Json& config, const JsonArgs& args,
+      ValidationErrors* errors) const {
+    const auto it = name_map_.find(type);
+    if (it == name_map_.cend()) return nullptr;
     return it->second->ParseConfig(config, args, errors);
   }
 
+  bool IsProtoSupported(absl::string_view type) const {
+    return proto_map_.find(type) != proto_map_.end();
+  }
+
+  RefCountedPtr<const CallCredsConfig> ParseProto(
+      absl::string_view proto_type, absl::string_view serialized_proto,
+      ValidationErrors* errors) const {
+    const auto it = proto_map_.find(proto_type);
+    if (it == proto_map_.cend()) return nullptr;
+    return it->second->ParseProto(serialized_proto, errors);
+  }
+
   RefCountedPtr<T> CreateCallCreds(
-      RefCountedPtr<CallCredsConfig> config) const {
+      RefCountedPtr<const CallCredsConfig> config) const {
     if (config == nullptr) return nullptr;
-    const auto it = factories_.find(config->type());
-    if (it == factories_.cend()) return nullptr;
+    auto it = name_map_.find(config->type());
+    if (it == name_map_.cend()) {
+      it = proto_map_.find(config->proto_type());
+      if (it == proto_map_.cend()) return nullptr;
+    }
     return it->second->CreateCallCreds(std::move(config));
   }
 
  private:
-  explicit CallCredsRegistry(FactoryMap factories)
-      : factories_(std::move(factories)) {}
+  CallCredsRegistry(FactoryMap name_map, FactoryMap proto_map)
+      : name_map_(std::move(name_map)), proto_map_(std::move(proto_map)) {}
 
-  FactoryMap factories_;
+  FactoryMap name_map_;
+  FactoryMap proto_map_;
 };
 
 }  // namespace grpc_core

data/src/core/credentials/call/call_creds_registry_init.cc

@@ -22,10 +22,12 @@
 #include <memory>
 #include <string>
 
+#include "envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.upb.h"
 #include "src/core/config/core_configuration.h"
 #include "src/core/credentials/call/call_credentials.h"
 #include "src/core/credentials/call/call_creds_registry.h"
 #include "src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.h"
+#include "src/core/credentials/call/oauth2/oauth2_credentials.h"
 #include "src/core/util/down_cast.h"
 #include "src/core/util/json/json.h"
 #include "src/core/util/json/json_args.h"
@@ -41,14 +43,22 @@ class JwtTokenFileCallCredsFactory : public CallCredsFactory<> {
  public:
   absl::string_view type() const override { return Type(); }
 
-  RefCountedPtr<CallCredsConfig> ParseConfig(
+  RefCountedPtr<const CallCredsConfig> ParseConfig(
       const Json& config, const JsonArgs& args,
       ValidationErrors* errors) const override {
     return LoadFromJson<RefCountedPtr<Config>>(config, args, errors);
   }
 
+  absl::string_view proto_type() const override { return ""; }
+
+  RefCountedPtr<const CallCredsConfig> ParseProto(
+      absl::string_view /*serialized_proto*/,
+      ValidationErrors* /*errors*/) const override {
+    return nullptr;
+  }
+
   RefCountedPtr<grpc_call_credentials> CreateCallCreds(
-      RefCountedPtr<CallCredsConfig> base_config) const override {
+      RefCountedPtr<const CallCredsConfig> base_config) const override {
     auto* config = DownCast<const Config*>(base_config.get());
     return MakeRefCounted<JwtTokenFileCallCredentials>(config->path());
   }
@@ -58,6 +68,8 @@ class JwtTokenFileCallCredsFactory : public CallCredsFactory<> {
    public:
     absl::string_view type() const override { return Type(); }
 
+    absl::string_view proto_type() const override { return ""; }
+
     bool Equals(const CallCredsConfig& other) const override {
       auto& o = DownCast<const Config&>(other);
       return path_ == o.path_;
@@ -83,9 +95,81 @@ class JwtTokenFileCallCredsFactory : public CallCredsFactory<> {
   static absl::string_view Type() { return "jwt_token_file"; }
 };
 
+class AccessTokenCallCredsFactory : public CallCredsFactory<> {
+ public:
+  absl::string_view type() const override { return ""; }
+
+  RefCountedPtr<const CallCredsConfig> ParseConfig(
+      const Json& /*config*/, const JsonArgs& /*args*/,
+      ValidationErrors* /*errors*/) const override {
+    return nullptr;
+  }
+
+  absl::string_view proto_type() const override { return ProtoType(); }
+
+  RefCountedPtr<const CallCredsConfig> ParseProto(
+      absl::string_view serialized_proto,
+      ValidationErrors* errors) const override {
+    upb::Arena arena;
+    const auto* proto =
+        envoy_extensions_grpc_service_call_credentials_access_token_v3_AccessTokenCredentials_parse(
+            serialized_proto.data(), serialized_proto.size(), arena.ptr());
+    if (proto == nullptr) {
+      errors->AddError("could not parse call credentials config");
+      return nullptr;
+    }
+    absl::string_view token = UpbStringToAbsl(
+        envoy_extensions_grpc_service_call_credentials_access_token_v3_AccessTokenCredentials_token(
+            proto));
+    if (token.empty()) {
+      ValidationErrors::ScopedField field(errors, ".token");
+      errors->AddError("field not present");
+    }
+    return MakeRefCounted<Config>(token);
+  }
+
+  RefCountedPtr<grpc_call_credentials> CreateCallCreds(
+      RefCountedPtr<const CallCredsConfig> base_config) const override {
+    auto* config = DownCast<const Config*>(base_config.get());
+    return MakeRefCounted<grpc_access_token_credentials>(
+        config->token().c_str());
+  }
+
+ private:
+  class Config : public CallCredsConfig {
+   public:
+    explicit Config(absl::string_view token) : token_(token) {}
+
+    absl::string_view type() const override { return ""; }
+
+    absl::string_view proto_type() const override { return ProtoType(); }
+
+    bool Equals(const CallCredsConfig& other) const override {
+      auto& o = DownCast<const Config&>(other);
+      return token_ == o.token_;
+    }
+
+    std::string ToString() const override {
+      return absl::StrCat("{token=\"", token_, "\"}");
+    }
+
+    const std::string& token() const { return token_; }
+
+   private:
+    std::string token_;
+  };
+
+  static absl::string_view ProtoType() {
+    return "envoy.extensions.grpc_service.call_credentials.access_token"
+           ".v3.AccessTokenCredentials";
+  }
+};
+
 void RegisterDefaultCallCreds(CoreConfiguration::Builder* builder) {
   builder->call_creds_registry()->RegisterCallCredsFactory(
       std::make_unique<JwtTokenFileCallCredsFactory>());
+  builder->call_creds_registry()->RegisterCallCredsFactory(
+      std::make_unique<AccessTokenCallCredsFactory>());
 }
 
 }  // namespace grpc_core

data/src/core/credentials/call/external/aws_external_account_credentials.cc

@@ -292,8 +292,8 @@ void AwsExternalAccountCredentials::AwsFetchBody::RetrieveSigningKeys() {
     return;
   }
   if (role_name_.empty()) {
-    AsyncFinish(
-        GRPC_ERROR_CREATE("Missing role name when retrieving signing keys."));
+    AsyncFinish(absl::UnauthenticatedError(
+        "Missing role name when retrieving signing keys."));
     return;
   }
   std::string url_with_role_name = absl::StrCat(creds_->url_, "/", role_name_);

data/src/core/credentials/call/external/external_account_credentials.cc

@@ -34,6 +34,7 @@
 #include "src/core/credentials/call/external/url_external_account_credentials.h"
 #include "src/core/credentials/call/json_util.h"
 #include "src/core/credentials/transport/transport_credentials.h"
+#include "src/core/lib/transport/status_conversion.h"
 #include "src/core/util/grpc_check.h"
 #include "src/core/util/http_client/httpcli_ssl_credentials.h"
 #include "src/core/util/http_client/parser.h"
@@ -108,7 +109,13 @@ void ExternalAccountCredentials::HttpFetchBody::OnHttpResponse(
   absl::string_view response_body(self->response_.body,
                                   self->response_.body_length);
   if (self->response_.status != 200) {
-    self->Finish(absl::UnavailableError(
+    grpc_status_code status_code =
+        grpc_http2_status_to_grpc_status(self->response_.status);
+    if (status_code != GRPC_STATUS_UNAVAILABLE) {
+      status_code = GRPC_STATUS_UNAUTHENTICATED;
+    }
+    self->Finish(absl::Status(
+        static_cast<absl::StatusCode>(status_code),
         absl::StrCat("Call to HTTP server ended with status ",
                      self->response_.status, " [", response_body, "]")));
     return;
@@ -180,7 +187,7 @@ void ExternalAccountCredentials::ExternalFetchRequest::ExchangeToken(
   // Parse URI.
   absl::StatusOr<URI> uri = URI::Parse(options().token_url);
   if (!uri.ok()) {
-    return FinishTokenFetch(GRPC_ERROR_CREATE(
+    return FinishTokenFetch(absl::UnauthenticatedError(
         absl::StrFormat("Invalid token url: %s. Error: %s", options().token_url,
                         uri.status().ToString())));
   }
@@ -284,7 +291,7 @@ void ExternalAccountCredentials::ExternalFetchRequest::
   }
   auto it = json->object().find("access_token");
   if (it == json->object().end() || it->second.type() != Json::Type::kString) {
-    FinishTokenFetch(GRPC_ERROR_CREATE(absl::StrFormat(
+    FinishTokenFetch(absl::UnauthenticatedError(absl::StrFormat(
         "Missing or invalid access_token in %s.", *response_body)));
     return;
   }
@@ -292,7 +299,7 @@ void ExternalAccountCredentials::ExternalFetchRequest::
   absl::StatusOr<URI> uri =
       URI::Parse(options().service_account_impersonation_url);
   if (!uri.ok()) {
-    FinishTokenFetch(GRPC_ERROR_CREATE(absl::StrFormat(
+    FinishTokenFetch(absl::UnauthenticatedError(absl::StrFormat(
         "Invalid service account impersonation url: %s. Error: %s",
         options().service_account_impersonation_url, uri.status().ToString())));
     return;