feat: allow users to call default service account endpoint if no email is passed

google/auth/compute_engine/credentials.py

@@ -87,10 +87,10 @@ def __init__(
             self._universe_domain = universe_domain
             self._universe_domain_cached = True
 
-    def _retrieve_info(self, request):
-        """Retrieve information about the service account.
+    def _retrieve_scopes(self, request):
+        """Retrieve scopes about the service account.
 
-        Updates the scopes and retrieves the full service account email.
+        Updates the scopes for the assosiated service account.
 
         Args:
             request (google.auth.transport.Request): The object used to make
@@ -100,11 +100,7 @@ def _retrieve_info(self, request):
             request, service_account=self._service_account_email
         )
 
-        self._service_account_email = info["email"]
-
-        # Don't override scopes requested by the user.
-        if self._scopes is None:
-            self._scopes = info["scopes"]
+        self._scopes = info["scopes"]
 
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_MDS
@@ -123,7 +119,8 @@ def refresh(self, request):
         """
         scopes = self._scopes if self._scopes is not None else self._default_scopes
         try:
-            self._retrieve_info(request)
+            if self._scopes is None:
+                self._retrieve_scopes(request)
             self.token, self.expiry = _metadata.get_service_account_token(
                 request, service_account=self._service_account_email, scopes=scopes
             )

tests/compute_engine/test_credentials.py

@@ -98,11 +98,11 @@ def test_default_state(self):
         return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
-    def test_refresh_success(self, get, utcnow):
+    def test_refresh_success_with_service_account_email(self, get, utcnow):
         get.side_effect = [
             {
                 # First request is for sevice account info.
-                "email": "service-account@example.com",
+                "email": FAKE_SERVICE_ACCOUNT_EMAIL,
                 "scopes": ["one", "two"],
             },
             {
@@ -120,7 +120,42 @@ def test_refresh_success(self, get, utcnow):
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "service-account@example.com"
+        assert self.credentials.service_account_email == FAKE_SERVICE_ACCOUNT_EMAIL
+        assert self.credentials._scopes == ["one", "two"]
+
+        # Check that the credentials are valid (have a token and are not
+        # expired)
+        assert self.credentials.valid
+
+    @mock.patch(
+        "google.auth._helpers.utcnow",
+        return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
+    )
+    @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
+    def test_refresh_success_with_default_email(self, get, utcnow):
+        service_account_email = "service-account@example.com"
+        get.side_effect = [
+            {
+                # First request is for sevice account info.
+                "email": service_account_email,
+                "scopes": ["one", "two"],
+            },
+            {
+                # Second request is for the token.
+                "access_token": "token",
+                "expires_in": 500,
+            },
+        ]
+
+        # Refresh credentials
+        self.credentials.refresh(None)
+
+        # Check that the credentials have the token and proper expiration
+        assert self.credentials.token == "token"
+        assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
+
+        # Check the credential info
+        assert self.credentials.service_account_email == "default"
         assert self.credentials._scopes == ["one", "two"]
 
         # Check that the credentials are valid (have a token and are not
@@ -160,7 +195,7 @@ def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_valu
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "service-account@example.com"
+        assert self.credentials.service_account_email == "default"
         assert self.credentials._scopes == scopes
 
         # Check that the credentials are valid (have a token and are not
@@ -501,7 +536,7 @@ def test_with_target_audience_integration(self):
         responses.add(
             responses.GET,
             "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/service-account@example.com/token",
+            "service-accounts/default/token",
             status=200,
             content_type="application/json",
             json={
@@ -659,7 +694,7 @@ def test_with_quota_project_integration(self):
         responses.add(
             responses.GET,
             "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/service-account@example.com/token",
+            "service-accounts/default/token",
             status=200,
             content_type="application/json",
             json={