Tried to use impersonated_credentials.from_impersonated_account_info in id_token.py

nolanleastin · nolanleastin · commit 17884ab1b0e3 · 2025-04-10T13:16:51.000-07:00
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
@@ -434,12 +434,12 @@ def _source_credentials_from_impersonated_account_info(cls, info):
         source_credentials_type = source_credentials_info.get("type")
         if source_credentials_type == _AUTHORIZED_USER_TYPE:
             from google.oauth2 import credentials
-            source_credentials, _ = credentials.Credentials.from_authorized_user_info(
-                info
+            source_credentials = credentials.Credentials.from_authorized_user_info(
+                source_credentials_info
             )
         elif source_credentials_type == _SERVICE_ACCOUNT_TYPE:
             from google.oauth2 import service_account
-            source_credentials, _ = service_account.Credentials.from_service_account_info(
+            source_credentials = service_account.Credentials.from_service_account_info(
                 source_credentials_info
             )
         elif source_credentials_type == _EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE:
diff --git a/google/oauth2/credentials.py b/google/oauth2/credentials.py
@@ -457,6 +457,8 @@ def from_authorized_user_info(cls, info, scopes=None):
         Raises:
             ValueError: If the info is not in the expected format.
         """
+        print("NTRACE: from_authorizer_user_info")
+        print(info)
         keys_needed = set(("refresh_token", "client_id", "client_secret"))
         missing = keys_needed.difference(info.keys())
 
diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
@@ -284,6 +284,19 @@ def fetch_id_token_credentials(audience, request=None):
                     return service_account.IDTokenCredentials.from_service_account_info(
                         info, target_audience=audience
                     )
+                elif info.get("type") == "impersonated_service_account":
+                    from google.auth import impersonated_credentials
+
+                    target_credentials =  impersonated_credentials.Credentials.from_impersonated_account_info(
+                        info
+                    )
+
+                    id_creds = impersonated_credentials.IDTokenCredentials(
+                        target_credentials=target_credentials,
+                        target_audience=audience,
+                        include_email=True,
+                    )
+                    return id_creds
         except ValueError as caught_exc:
             new_exc = exceptions.DefaultCredentialsError(
                 "GOOGLE_APPLICATION_CREDENTIALS is not valid service account credentials.",
