From 86ce3924c70024f7ebd24f3e7da6f011592061f1 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 13:36:38 -0700 Subject: [PATCH 1/5] fix(auth): Use requests.Transport for GCE MDS --- packages/google-auth/google/auth/_default.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/packages/google-auth/google/auth/_default.py b/packages/google-auth/google/auth/_default.py index d3beab4b6cd7..5eebac1e416a 100644 --- a/packages/google-auth/google/auth/_default.py +++ b/packages/google-auth/google/auth/_default.py @@ -27,7 +27,6 @@ from google.auth import environment_vars from google.auth import exceptions -import google.auth.transport._http_client if TYPE_CHECKING: # pragma: NO COVER from google.auth.credentials import Credentials # noqa: F401 @@ -390,22 +389,19 @@ def _get_gae_credentials(): def _get_gce_credentials(request=None, quota_project_id=None): """Gets credentials and project ID from the GCE Metadata Service.""" - # Ping requires a transport, but we want application default credentials - # to require no arguments. So, we'll use the _http_client transport which - # uses http.client. This is only acceptable because the metadata server - # doesn't do SSL and never requires proxies. - # While this library is normally bundled with compute_engine, there are # some cases where it's not available, so we tolerate ImportError. + # Compute Engine requires optional `requests` dependency. try: from google.auth import compute_engine from google.auth.compute_engine import _metadata + import google.auth.transport.requests except ImportError: _LOGGER.warning("Import of Compute Engine auth library failed.") return None, None if request is None: - request = google.auth.transport._http_client.Request() + request = google.auth.transport.requests.Request() if _metadata.is_on_gce(request=request): # Get the project ID. From 2d31c00681d4e478de45f46216d2bd830414eb4c Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 13:48:16 -0700 Subject: [PATCH 2/5] fixed typo --- packages/google-auth/google/auth/transport/_http_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/google-auth/google/auth/transport/_http_client.py b/packages/google-auth/google/auth/transport/_http_client.py index ecd51bdf8a75..bcfc2b27cb8e 100644 --- a/packages/google-auth/google/auth/transport/_http_client.py +++ b/packages/google-auth/google/auth/transport/_http_client.py @@ -94,7 +94,7 @@ def __call__( if parts.scheme != "http": raise exceptions.TransportError( "http.client transport only supports the http scheme, {}" - "was specified".format(parts.scheme) + " was specified".format(parts.scheme) ) connection = http_client.HTTPConnection(parts.netloc, timeout=timeout) From 620ba42b1a11cfde39f64000c91268ff5c1ec822 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 13:54:48 -0700 Subject: [PATCH 3/5] added test --- packages/google-auth/tests/test__default.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/packages/google-auth/tests/test__default.py b/packages/google-auth/tests/test__default.py index 7ff2ff9437d8..f80be445073c 100644 --- a/packages/google-auth/tests/test__default.py +++ b/packages/google-auth/tests/test__default.py @@ -890,6 +890,16 @@ def test__get_gce_credentials_explicit_request(ping): ping.assert_called_with(request=mock.sentinel.request) +@mock.patch( + "google.auth.compute_engine._metadata.is_on_gce", return_value=False, autospec=True +) +@mock.patch("google.auth.transport.requests.Request", autospec=True) +def test__get_gce_credentials_default_request(mock_request_cls, ping): + _default._get_gce_credentials() + mock_request_cls.assert_called_once() + ping.assert_called_with(request=mock_request_cls.return_value) + + @mock.patch( "google.auth._default._get_explicit_environ_credentials", return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id), From a7733d956dcd3ff9124c4ffd6499bbd56393b608 Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Mon, 30 Mar 2026 14:27:08 -0700 Subject: [PATCH 4/5] fixed lint --- packages/google-auth/google/auth/_default.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/google-auth/google/auth/_default.py b/packages/google-auth/google/auth/_default.py index 5eebac1e416a..cb40c1fa6d77 100644 --- a/packages/google-auth/google/auth/_default.py +++ b/packages/google-auth/google/auth/_default.py @@ -29,8 +29,8 @@ from google.auth import exceptions if TYPE_CHECKING: # pragma: NO COVER - from google.auth.credentials import Credentials # noqa: F401 - from google.auth.transport import Request # noqa: F401 + import google.auth.credentials.Credentials # type: ignore + import google.auth.transport.Request # type: ignore _LOGGER = logging.getLogger(__name__) From b76925f7533d7c11340d6cce5ebd0e9eaa66df1c Mon Sep 17 00:00:00 2001 From: Daniel Sanche Date: Tue, 31 Mar 2026 14:54:25 -0700 Subject: [PATCH 5/5] Update packages/google-auth/tests/test__default.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- packages/google-auth/tests/test__default.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/google-auth/tests/test__default.py b/packages/google-auth/tests/test__default.py index f80be445073c..dd98ad741a5d 100644 --- a/packages/google-auth/tests/test__default.py +++ b/packages/google-auth/tests/test__default.py @@ -895,9 +895,11 @@ def test__get_gce_credentials_explicit_request(ping): ) @mock.patch("google.auth.transport.requests.Request", autospec=True) def test__get_gce_credentials_default_request(mock_request_cls, ping): - _default._get_gce_credentials() + credentials, project_id = _default._get_gce_credentials() mock_request_cls.assert_called_once() ping.assert_called_with(request=mock_request_cls.return_value) + assert credentials is None + assert project_id is None @mock.patch(