From 89c3e9ec0f8a717d196192dbe6ad55c02dd56ab0 Mon Sep 17 00:00:00 2001
From: Michael Ruoss <michael.ruoss@cradle.bio>
Date: Fri, 16 Jan 2026 10:33:26 +0100
Subject: [PATCH] fix: use CSQL_PROXY_AUTO_IAM_AUTHN instead of params to
 enable auto-iam-authn (#719)

---
 internal/workload/podspec_updates.go      | 9 +++------
 internal/workload/podspec_updates_test.go | 6 +++---
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go
index 693eae54..69f1cfda 100644
--- a/internal/workload/podspec_updates.go
+++ b/internal/workload/podspec_updates.go
@@ -679,13 +679,10 @@ func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, c *corev
 
 		}
 
-		if inst.AutoIAMAuthN != nil {
-			if *inst.AutoIAMAuthN {
-				params["auto-iam-authn"] = "true"
-			} else {
-				params["auto-iam-authn"] = "false"
-			}
+		if inst.AutoIAMAuthN != nil && *inst.AutoIAMAuthN {
+			s.addProxyContainerEnvVar(p, "CSQL_PROXY_AUTO_IAM_AUTHN", "true")
 		}
+
 		if inst.PrivateIP != nil {
 			if *inst.PrivateIP {
 				params["private-ip"] = "true"
diff --git a/internal/workload/podspec_updates_test.go b/internal/workload/podspec_updates_test.go
index 956a3cf1..a344ad37 100644
--- a/internal/workload/podspec_updates_test.go
+++ b/internal/workload/podspec_updates_test.go
@@ -670,9 +670,9 @@ func TestProxyCLIArgs(t *testing.T) {
 						AutoIAMAuthN:     &wantFalse,
 					}},
 			},
-			wantProxyArgContains: []string{
-				fmt.Sprintf("hello:world:one?auto-iam-authn=true&port=%d", workload.DefaultFirstPort),
-				fmt.Sprintf("hello:world:two?auto-iam-authn=false&port=%d", workload.DefaultFirstPort+1)},
+			wantWorkloadEnv: map[string]string{
+				"CSQL_PROXY_AUTO_IAM_AUTHN": "true",
+			},
 		},
 		{
 			desc: "private-ip set",