fix: only add IAM scope to credentials that can change scopes (#451)

commit: 82e224b0854950a5607cd028edbcbcdc3e9e6505 [log] [tgz]
author: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Fri Mar 13 13:21:18 2020 -0700
committer: GitHub <noreply@github.com> Fri Mar 13 13:21:18 2020 -0700
tree: 499f6348fa62cbe1476be16ab69a1ef62fb891f8
parent: b2dd77fe4a538e1d165fc9d859c9a299f6832cda [diff] [blame]
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
index bc7031e..1bb6b82 100644
--- a/google/auth/impersonated_credentials.py
+++ b/google/auth/impersonated_credentials.py

@@ -205,7 +205,11 @@
         super(Credentials, self).__init__()
 
         self._source_credentials = copy.copy(source_credentials)
-        self._source_credentials._scopes = _IAM_SCOPE
+        # Service account source credentials must have the _IAM_SCOPE
+        # added to refresh correctly. User credentials cannot have
+        # their original scopes modified.
+        if isinstance(self._source_credentials, credentials.Scoped):
+            self._source_credentials = self._source_credentials.with_scopes(_IAM_SCOPE)
         self._target_principal = target_principal
         self._target_scopes = target_scopes
         self._delegates = delegates
commit	82e224b0854950a5607cd028edbcbcdc3e9e6505	[log] [tgz]
author	Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>	Fri Mar 13 13:21:18 2020 -0700
committer	GitHub <noreply@github.com>	Fri Mar 13 13:21:18 2020 -0700
tree	499f6348fa62cbe1476be16ab69a1ef62fb891f8
parent	b2dd77fe4a538e1d165fc9d859c9a299f6832cda [diff] [blame]