Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: ADC with impersonated workforce pools (#877)
While service account impersonation is uncommonly used with workforce pool external credentials, there is a bug where the following commands raise exceptions when impersonated workforce pools are used: - `google.auth.default()` - `google.auth.load_credentials_from_file()` The issue is due to `google.auth.aws.Credentials` not supporting the `workforce_pool_user_project` argument in the constructor, unlike `google.auth.identity_pool.Credentials`. This was indirectly passed here: https://github.com/googleapis/google-auth-library-python/blob/a37ff00d7afd6c7aac2d0fab29e05708bbc068be/google/auth/external_account.py#L395 Causing a TypeError to be raised (we only catch ValueError). Updated the credential determination logic to explicitly check the subject token type. This is a more reliable indicator instead of a try/catch. Increased unit test coverage in tests/test__default.py to cover these credentials.
- Loading branch information
1 parent
a37ff00
commit 10bd9fb
Showing
2 changed files
with
195 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters