Skip to content

Commit

Permalink
fix: Skip checking projectid on cred if env var is set (#1349)
Browse files Browse the repository at this point in the history
* fix: Skip checking projectid on cred if env var is set

* add test for legacy project

---------

Co-authored-by: Carl Lundin <108372512+clundin25@users.noreply.github.com>
  • Loading branch information
sai-sunder-s and clundin25 authored Jul 13, 2023
1 parent 2b6a2cf commit a4135a3
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 3 deletions.
7 changes: 4 additions & 3 deletions google/auth/_default.py
Original file line number Diff line number Diff line change
Expand Up @@ -660,24 +660,25 @@ def default(scopes=None, request=None, quota_project_id=None, default_scopes=Non
credentials, scopes, default_scopes=default_scopes
)

effective_project_id = explicit_project_id or project_id

# For external account credentials, scopes are required to determine
# the project ID. Try to get the project ID again if not yet
# determined.
if not project_id and callable(
if not effective_project_id and callable(
getattr(credentials, "get_project_id", None)
):
if request is None:
import google.auth.transport.requests

request = google.auth.transport.requests.Request()
project_id = credentials.get_project_id(request=request)
effective_project_id = credentials.get_project_id(request=request)

if quota_project_id and isinstance(
credentials, CredentialsWithQuotaProject
):
credentials = credentials.with_quota_project(quota_project_id)

effective_project_id = explicit_project_id or project_id
if not effective_project_id:
_LOGGER.warning(
"No project ID could be determined. Consider running "
Expand Down
55 changes: 55 additions & 0 deletions tests/test__default.py
Original file line number Diff line number Diff line change
Expand Up @@ -1030,6 +1030,61 @@ def test_default_environ_external_credentials_identity_pool_impersonated(
assert project_id is mock.sentinel.project_id
assert credentials.scopes == ["https://www.google.com/calendar/feeds"]

# The credential.get_project_id should have been used in _get_external_account_credentials and default
assert get_project_id.call_count == 2


@EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
@mock.patch.dict(os.environ)
def test_default_environ_external_credentials_project_from_env(
get_project_id, monkeypatch, tmpdir
):
project_from_env = "project_from_env"
os.environ[environment_vars.PROJECT] = project_from_env

config_file = tmpdir.join("config.json")
config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA))
monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file))

credentials, project_id = _default.default(
scopes=["https://www.google.com/calendar/feeds"]
)

assert isinstance(credentials, identity_pool.Credentials)
assert not credentials.is_user
assert not credentials.is_workforce_pool
assert project_id == project_from_env
assert credentials.scopes == ["https://www.google.com/calendar/feeds"]

# The credential.get_project_id should have been used only in _get_external_account_credentials
assert get_project_id.call_count == 1


@EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
@mock.patch.dict(os.environ)
def test_default_environ_external_credentials_legacy_project_from_env(
get_project_id, monkeypatch, tmpdir
):
project_from_env = "project_from_env"
os.environ[environment_vars.LEGACY_PROJECT] = project_from_env

config_file = tmpdir.join("config.json")
config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA))
monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file))

credentials, project_id = _default.default(
scopes=["https://www.google.com/calendar/feeds"]
)

assert isinstance(credentials, identity_pool.Credentials)
assert not credentials.is_user
assert not credentials.is_workforce_pool
assert project_id == project_from_env
assert credentials.scopes == ["https://www.google.com/calendar/feeds"]

# The credential.get_project_id should have been used only in _get_external_account_credentials
assert get_project_id.call_count == 1


@EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
def test_default_environ_external_credentials_aws_impersonated(
Expand Down

0 comments on commit a4135a3

Please sign in to comment.