diff --git a/google/auth/compute_engine/credentials.py b/google/auth/compute_engine/credentials.py index f0126c0a8..74f12e7cc 100644 --- a/google/auth/compute_engine/credentials.py +++ b/google/auth/compute_engine/credentials.py @@ -87,25 +87,6 @@ def __init__( self._universe_domain = universe_domain self._universe_domain_cached = True - def _retrieve_info(self, request): - """Retrieve information about the service account. - - Updates the scopes and retrieves the full service account email. - - Args: - request (google.auth.transport.Request): The object used to make - HTTP requests. - """ - info = _metadata.get_service_account_info( - request, service_account=self._service_account_email - ) - - self._service_account_email = info["email"] - - # Don't override scopes requested by the user. - if self._scopes is None: - self._scopes = info["scopes"] - def _metric_header_for_usage(self): return metrics.CRED_TYPE_SA_MDS @@ -123,7 +104,6 @@ def refresh(self, request): """ scopes = self._scopes if self._scopes is not None else self._default_scopes try: - self._retrieve_info(request) self.token, self.expiry = _metadata.get_service_account_token( request, service_account=self._service_account_email, scopes=scopes ) diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index f54c3f987..c19e8785a 100644 Binary files a/system_tests/secrets.tar.enc and b/system_tests/secrets.tar.enc differ diff --git a/system_tests/system_tests_sync/test_compute_engine.py b/system_tests/system_tests_sync/test_compute_engine.py index 1e0eaf11d..2ac1be592 100644 --- a/system_tests/system_tests_sync/test_compute_engine.py +++ b/system_tests/system_tests_sync/test_compute_engine.py @@ -35,7 +35,7 @@ def check_gce_environment(http_request): pytest.skip("Compute Engine metadata service is not available.") -def test_refresh(http_request, token_info): +def test_refresh(http_request): credentials = compute_engine.Credentials() credentials.refresh(http_request) @@ -43,9 +43,7 @@ def test_refresh(http_request, token_info): assert credentials.token is not None assert credentials.service_account_email is not None - info = token_info(credentials.token) - info_scopes = _helpers.string_to_scopes(info["scope"]) - assert set(info_scopes) == set(credentials.scopes) + assert credentials.scopes is None def test_default(verify_refresh): diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py index fddfb7f64..8485ece4b 100644 --- a/tests/compute_engine/test_credentials.py +++ b/tests/compute_engine/test_credentials.py @@ -99,18 +99,7 @@ def test_default_state(self): ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_refresh_success(self, get, utcnow): - get.side_effect = [ - { - # First request is for sevice account info. - "email": "service-account@example.com", - "scopes": ["one", "two"], - }, - { - # Second request is for the token. - "access_token": "token", - "expires_in": 500, - }, - ] + get.side_effect = [{"access_token": "token", "expires_in": 500}] # Refresh credentials self.credentials.refresh(None) @@ -120,8 +109,8 @@ def test_refresh_success(self, get, utcnow): assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500)) # Check the credential info - assert self.credentials.service_account_email == "service-account@example.com" - assert self.credentials._scopes == ["one", "two"] + assert self.credentials.service_account_email == "default" + assert self.credentials._scopes is None # Check that the credentials are valid (have a token and are not # expired) @@ -137,18 +126,7 @@ def test_refresh_success(self, get, utcnow): ) @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_value): - get.side_effect = [ - { - # First request is for sevice account info. - "email": "service-account@example.com", - "scopes": ["one", "two"], - }, - { - # Second request is for the token. - "access_token": "token", - "expires_in": 500, - }, - ] + get.side_effect = [{"access_token": "token", "expires_in": 500}] # Refresh credentials scopes = ["three", "four"] @@ -160,7 +138,7 @@ def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_valu assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500)) # Check the credential info - assert self.credentials.service_account_email == "service-account@example.com" + assert self.credentials.service_account_email == "default" assert self.credentials._scopes == scopes # Check that the credentials are valid (have a token and are not @@ -184,18 +162,7 @@ def test_refresh_error(self, get): @mock.patch("google.auth.compute_engine._metadata.get", autospec=True) def test_before_request_refreshes(self, get): - get.side_effect = [ - { - # First request is for sevice account info. - "email": "service-account@example.com", - "scopes": "one two", - }, - { - # Second request is for the token. - "access_token": "token", - "expires_in": 500, - }, - ] + get.side_effect = [{"access_token": "token", "expires_in": 500}] # Credentials should start as invalid assert not self.credentials.valid @@ -473,20 +440,6 @@ def test_with_target_audience_integration(self): have been mocked. """ - # mock information about credentials - responses.add( - responses.GET, - "http://metadata.google.internal/computeMetadata/v1/instance/" - "service-accounts/default/?recursive=true", - status=200, - content_type="application/json", - json={ - "scopes": "email", - "email": "service-account@example.com", - "aliases": ["default"], - }, - ) - # mock information about universe_domain responses.add( responses.GET, @@ -501,7 +454,7 @@ def test_with_target_audience_integration(self): responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" - "service-accounts/service-account@example.com/token", + "service-accounts/default/token", status=200, content_type="application/json", json={ @@ -641,25 +594,11 @@ def test_with_quota_project_integration(self): have been mocked. """ - # mock information about credentials - responses.add( - responses.GET, - "http://metadata.google.internal/computeMetadata/v1/instance/" - "service-accounts/default/?recursive=true", - status=200, - content_type="application/json", - json={ - "scopes": "email", - "email": "service-account@example.com", - "aliases": ["default"], - }, - ) - # mock token for credentials responses.add( responses.GET, "http://metadata.google.internal/computeMetadata/v1/instance/" - "service-accounts/service-account@example.com/token", + "service-accounts/default/token", status=200, content_type="application/json", json={