feat: Add getProjectId to ComputeEngineCredentials

psx95 · psx95 · commit fea04ddc6a4d · 2025-10-16T17:23:20.000-04:00
diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -130,6 +130,7 @@ public class ComputeEngineCredentials extends GoogleCredentials
   private transient HttpTransportFactory transportFactory;
 
   private String universeDomainFromMetadata = null;
+  private String projectId = null;
 
   /**
    * Experimental Feature.
@@ -341,6 +342,72 @@ private String getUniverseDomainFromMetadata() throws IOException {
     return responseString;
   }
 
+  /**
+   * Retrieves the Google Cloud project ID from the Compute Engine (GCE) metadata server.
+   * <p>
+   * On its first successful execution, it fetches the project ID and caches it for the lifetime
+   * of the object. Subsequent calls will return the cached value without making additional network
+   * requests.
+   * <p>
+   * If the request to the metadata server fails (e.g., due to network issues, or if the VM lacks
+   * the required service account permissions), the method will attempt to fall back to a default
+   * project ID provider which could be {@code null}.
+   *
+   * @return the GCP project ID string, or {@code null} if the metadata server is
+   * inaccessible and no fallback project ID can be determined.
+   */
+  @Override
+  public String getProjectId() {
+    synchronized (this) {
+      if (this.projectId != null) {
+        return this.projectId;
+      }
+    }
+
+    String projectIdFromMetadata = getProjectIdFromMetadata();
+    synchronized (this) {
+      this.projectId = projectIdFromMetadata;
+    }
+    return projectIdFromMetadata;
+  }
+
+  private String getProjectIdFromMetadata() {
+    try {
+      HttpResponse response = getMetadataResponse(getProjectIdUrl(), RequestType.UNTRACKED, false);
+      int statusCode = response.getStatusCode();
+      if (statusCode == HttpStatusCodes.STATUS_CODE_NOT_FOUND) {
+        LoggingUtils.log(LOGGER_PROVIDER, Level.WARNING, Collections.emptyMap(), String.format(
+            "Error code %s trying to get project ID from"
+                + " Compute Engine metadata. This may be because the virtual machine instance"
+                + " does not have permission scopes specified.",
+            statusCode));
+        return super.getProjectId();
+      }
+      if (statusCode != HttpStatusCodes.STATUS_CODE_OK) {
+        LoggingUtils.log(
+            LOGGER_PROVIDER,
+            Level.WARNING,
+            Collections.emptyMap(),
+            String.format(
+                "Unexpected Error code %s trying to get project ID"
+                    + " from Compute Engine metadata for the default service account: %s",
+                statusCode, response.parseAsString()));
+        return super.getProjectId();
+      }
+      return response.parseAsString();
+    } catch (IOException e) {
+      LoggingUtils.log(
+          LOGGER_PROVIDER,
+          Level.WARNING,
+          Collections.emptyMap(),
+          String.format(
+              "Unexpected Error: %s trying to get project ID"
+                  + " from Compute Engine metadata server. Reason: %s",
+               e.getMessage(), e.getCause().toString()));
+      return super.getProjectId();
+    }
+  }
+
   /** Refresh the access token by getting it from the GCE metadata server */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
@@ -642,6 +709,11 @@ public static String getIdentityDocumentUrl() {
         + "/computeMetadata/v1/instance/service-accounts/default/identity";
   }
 
+  public static String getProjectIdUrl() {
+    return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
+        + "/computeMetadata/v1/project/project-id";
+  }
+
   @Override
   public int hashCode() {
     return Objects.hash(transportFactoryClassName);
