feat: Add custom scopes for access tokens from the metadata service (#633)
This works for App Engine, Cloud Run and Flex. On Compute Engine you
can request custom scopes, but they are ignored.
Co-authored-by: Tres Seaver <tseaver@palladion.com>
Co-authored-by: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>
diff --git a/google/auth/_default.py b/google/auth/_default.py
index de81c5b..4377893 100644
--- a/google/auth/_default.py
+++ b/google/auth/_default.py
@@ -274,10 +274,11 @@
gcloud config set project
3. If the application is running in the `App Engine standard environment`_
- then the credentials and project ID from the `App Identity Service`_
- are used.
- 4. If the application is running in `Compute Engine`_ or the
- `App Engine flexible environment`_ then the credentials and project ID
+ (first generation) then the credentials and project ID from the
+ `App Identity Service`_ are used.
+ 4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
+ the `App Engine flexible environment`_ or the `App Engine standard
+ environment`_ (second generation) then the credentials and project ID
are obtained from the `Metadata Service`_.
5. If no credentials are found,
:class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
@@ -293,6 +294,7 @@
/appengine/flexible
.. _Metadata Service: https://cloud.google.com/compute/docs\
/storing-retrieving-metadata
+ .. _Cloud Run: https://cloud.google.com/run
Example::