fix: do not use the GAE APIs on gen2+ runtimes (#807)
* fix: do not use the GAE APIs on gen2+ runtimes
Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard
In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() must never return an
app_engine.Credental on GAE gen2+.Currently, this library uses the App Engine API in all environments if
it can be imported successfully. This assumption made sense when the API
was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard
In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() should not return an
app_engine.Credental on GAE gen2+.
* blacken
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
diff --git a/google/auth/_default.py b/google/auth/_default.py
index 4dc0725..f7e308f 100644
--- a/google/auth/_default.py
+++ b/google/auth/_default.py
@@ -230,6 +230,11 @@
def _get_gae_credentials():
"""Gets Google App Engine App Identity credentials and project ID."""
+ # If not GAE gen1, prefer the metadata service even if the GAE APIs are
+ # available as per https://google.aip.dev/auth/4115.
+ if os.environ.get(environment_vars.LEGACY_APPENGINE_RUNTIME) != "python27":
+ return None, None
+
# While this library is normally bundled with app_engine, there are
# some cases where it's not available, so we tolerate ImportError.
try: