google-auth CI is broken

[suztomo]

#17328 (comment) .

Seeing a lot of JWT Grant issues in the System Tests. I suspect a key has expired or something similar.

__________________________ test_iam_signer[requests] ___________________________

http_request = 
credentials = 

    def test_iam_signer(http_request, credentials):
        credentials = credentials.with_scopes(
            ["https://www.googleapis.com/auth/iam"]
        )
    
        # Verify iamcredentials signer.
        signer = iam.Signer(
            http_request,
            credentials,
            credentials.service_account_email
        )
    
>       signed_blob = signer.sign("message")

system_tests_sync/test_service_account.py:61: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../google/auth/iam.py:142: in sign
    response = self._make_signing_request(message)
../google/auth/iam.py:115: in _make_signing_request
    self._credentials.before_request(self._request, method, url, headers)
../google/auth/credentials.py:469: in before_request
    self._blocking_refresh(request)
../google/auth/credentials.py:203: in _blocking_refresh
    self.refresh(request)
../google/auth/credentials.py:482: in refresh
    self._perform_refresh_token(request)
../google/oauth2/service_account.py:460: in _perform_refresh_token
    access_token, expiry, _ = _client.jwt_grant(
../google/oauth2/_client.py:307: in jwt_grant
    response_data = _token_endpoint_request(
../google/oauth2/_client.py:278: in _token_endpoint_request
    _handle_error_response(response_data, retryable_error)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

response_data = {'error': 'invalid_grant', 'error_description': 'Invalid JWT Signature.'}
retryable_error = False

    def _handle_error_response(response_data, retryable_error):
        """Translates an error response into an exception.
    
        Args:
            response_data (Mapping | str): The decoded response data.
            retryable_error Optional[bool]: A boolean indicating if an error is retryable.
                Defaults to False.
    
        Raises:
            google.auth.exceptions.RefreshError: The errors contained in response_data.
        """
    
        retryable_error = retryable_error if retryable_error else False
    
        if isinstance(response_data, str):
            raise exceptions.RefreshError(response_data, retryable=retryable_error)
        try:
            error_details = "{}: {}".format(
                response_data["error"], response_data.get("error_description")
            )
        # If no details could be extracted, use the response data.
        except (KeyError, ValueError):
            error_details = json.dumps(response_data)
    
>       raise exceptions.RefreshError(
            error_details, response_data, retryable=retryable_error
        )
E       google.auth.exceptions.RefreshError: ('invalid_grant: Invalid JWT Signature.', {'error': 'invalid_grant', 'error_description': 'Invalid JWT Signature.'})

Originally posted by @chalmerlowe in #17328 (comment)

[daniel-sanche]

It looks like there's a new policy that service account keys expire after 90 days

I manually updated the key in the service account bucket, and opened a PR to re-enable releases

Going forward, it looks like we need to add a job to update the service account file automatically, which we have for other secrets