fetch token from default endpoint

harkamaljot · harkamaljot · commit e691081796f7 · 2025-06-02T23:45:31.000Z
diff --git a/google/auth/compute_engine/credentials.py b/google/auth/compute_engine/credentials.py
@@ -90,6 +90,23 @@ def __init__(
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_MDS
 
+    def _retrieve_info(self, request):
+        """Retrieve information about the service account.
+        Updates the scopes and retrieves the full service account email.
+        Args:
+            request (google.auth.transport.Request): The object used to make
+                HTTP requests.
+        """
+        info = _metadata.get_service_account_info(
+            request, service_account=self._service_account_email
+        )
+
+        self._service_account_email = info["email"]
+
+        # Don't override scopes requested by the user.
+        if self._scopes is None:
+            self._scopes = info["scopes"]
+
     def refresh(self, request):
         """Refresh the access token and scopes.
 
@@ -104,8 +121,10 @@ def refresh(self, request):
         """
         scopes = self._scopes if self._scopes is not None else self._default_scopes
         try:
+            self._retrieve_info(request)
+            # Always fetch token with default service account email.
             self.token, self.expiry = _metadata.get_service_account_token(
-                request, service_account=self._service_account_email, scopes=scopes
+                request, service_account="default", scopes=scopes
             )
         except exceptions.TransportError as caught_exc:
             new_exc = exceptions.RefreshError(caught_exc)
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/system_tests/system_tests_sync/test_compute_engine.py b/system_tests/system_tests_sync/test_compute_engine.py
@@ -35,16 +35,17 @@ def check_gce_environment(http_request):
         pytest.skip("Compute Engine metadata service is not available.")
 
 
-def test_refresh(http_request):
+def test_refresh(http_request, token_info):
     credentials = compute_engine.Credentials()
 
     credentials.refresh(http_request)
 
     assert credentials.token is not None
     assert credentials.service_account_email is not None
 
-    assert credentials.scopes is None
-
+    info = token_info(credentials.token)
+    info_scopes = _helpers.string_to_scopes(info["scope"])
+    assert set(info_scopes) == set(credentials.scopes)
 
 def test_default(verify_refresh):
     credentials, project_id = google.auth.default()
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
@@ -99,7 +99,18 @@ def test_default_state(self):
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_success(self, get, utcnow):
-        get.side_effect = [{"access_token": "token", "expires_in": 500}]
+        get.side_effect = [
+            {
+                # First request is for sevice account info.
+                "email": "service-account@example.com",
+                "scopes": ["one", "two"],
+            },
+            {
+                # Second request is for the token.
+                "access_token": "token",
+                "expires_in": 500,
+            },
+        ]
 
         # Refresh credentials
         self.credentials.refresh(None)
@@ -109,8 +120,8 @@ def test_refresh_success(self, get, utcnow):
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "default"
-        assert self.credentials._scopes is None
+        assert self.credentials.service_account_email == "service-account@example.com"
+        assert self.credentials._scopes == ["one", "two"]
 
         # Check that the credentials are valid (have a token and are not
         # expired)
@@ -126,7 +137,18 @@ def test_refresh_success(self, get, utcnow):
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_value):
-        get.side_effect = [{"access_token": "token", "expires_in": 500}]
+        get.side_effect = [
+            {
+                # First request is for sevice account info.
+                "email": "service-account@example.com",
+                "scopes": ["one", "two"],
+            },
+            {
+                # Second request is for the token.
+                "access_token": "token",
+                "expires_in": 500,
+            },
+        ]
 
         # Refresh credentials
         scopes = ["three", "four"]
@@ -138,7 +160,7 @@ def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_valu
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "default"
+        assert self.credentials.service_account_email == "service-account@example.com"
         assert self.credentials._scopes == scopes
 
         # Check that the credentials are valid (have a token and are not
@@ -162,7 +184,18 @@ def test_refresh_error(self, get):
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_before_request_refreshes(self, get):
-        get.side_effect = [{"access_token": "token", "expires_in": 500}]
+        get.side_effect = [
+            {
+                # First request is for sevice account info.
+                "email": "service-account@example.com",
+                "scopes": "one two",
+            },
+            {
+                # Second request is for the token.
+                "access_token": "token",
+                "expires_in": 500,
+            },
+        ]
 
         # Credentials should start as invalid
         assert not self.credentials.valid
@@ -439,6 +472,19 @@ def test_with_target_audience_integration(self):
         Instead of mocking the methods, the HTTP responses
         have been mocked.
         """
+        # mock information about credentials
+        responses.add(
+            responses.GET,
+            "http://metadata.google.internal/computeMetadata/v1/instance/"
+            "service-accounts/default/?recursive=true",
+            status=200,
+            content_type="application/json",
+            json={
+                "scopes": "email",
+                "email": "service-account@example.com",
+                "aliases": ["default"],
+            },
+        )
 
         # mock information about universe_domain
         responses.add(
@@ -450,6 +496,20 @@ def test_with_target_audience_integration(self):
             json={},
         )
 
+        # mock information about credentials
+        responses.add(
+            responses.GET,
+            "http://metadata.google.internal/computeMetadata/v1/instance/"
+            "service-accounts/default/?recursive=true",
+            status=200,
+            content_type="application/json",
+            json={
+                "scopes": "email",
+                "email": "service-account@example.com",
+                "aliases": ["default"],
+            },
+        )
+
         # mock token for credentials
         responses.add(
             responses.GET,
@@ -594,6 +654,20 @@ def test_with_quota_project_integration(self):
         have been mocked.
         """
 
+        # mock information about credentials
+        responses.add(
+            responses.GET,
+            "http://metadata.google.internal/computeMetadata/v1/instance/"
+            "service-accounts/default/?recursive=true",
+            status=200,
+            content_type="application/json",
+            json={
+                "scopes": "email",
+                "email": "service-account@example.com",
+                "aliases": ["default"],
+            },
+        )
+
         # mock token for credentials
         responses.add(
             responses.GET,
