fix: don't add empty quota project (#560)
diff --git a/google/auth/_default.py b/google/auth/_default.py
index f3e498b..694033f 100644
--- a/google/auth/_default.py
+++ b/google/auth/_default.py
@@ -116,11 +116,13 @@
try:
credentials = credentials.Credentials.from_authorized_user_info(
info, scopes=scopes
- ).with_quota_project(quota_project_id)
+ )
except ValueError as caught_exc:
msg = "Failed to load authorized user credentials from {}".format(filename)
new_exc = exceptions.DefaultCredentialsError(msg, caught_exc)
six.raise_from(new_exc, caught_exc)
+ if quota_project_id:
+ credentials = credentials.with_quota_project(quota_project_id)
if not credentials.quota_project_id:
_warn_about_problematic_credentials(credentials)
return credentials, None
@@ -131,11 +133,13 @@
try:
credentials = service_account.Credentials.from_service_account_info(
info, scopes=scopes
- ).with_quota_project(quota_project_id)
+ )
except ValueError as caught_exc:
msg = "Failed to load service account credentials from {}".format(filename)
new_exc = exceptions.DefaultCredentialsError(msg, caught_exc)
six.raise_from(new_exc, caught_exc)
+ if quota_project_id:
+ credentials = credentials.with_quota_project(quota_project_id)
return credentials, info.get("project_id")
else:
@@ -317,9 +321,10 @@
for checker in checkers:
credentials, project_id = checker()
if credentials is not None:
- credentials = with_scopes_if_required(
- credentials, scopes
- ).with_quota_project(quota_project_id)
+ credentials = with_scopes_if_required(credentials, scopes)
+ if quota_project_id:
+ credentials = credentials.with_quota_project(quota_project_id)
+
effective_project_id = explicit_project_id or project_id
if not effective_project_id:
_LOGGER.warning(
diff --git a/tests/test__default.py b/tests/test__default.py
index 0665efa..55a14c2 100644
--- a/tests/test__default.py
+++ b/tests/test__default.py
@@ -165,6 +165,15 @@
assert credentials.scopes == ["https://www.google.com/calendar/feeds"]
+def test_load_credentials_from_file_service_account_with_quota_project():
+ credentials, project_id = _default.load_credentials_from_file(
+ SERVICE_ACCOUNT_FILE, quota_project_id="project-foo"
+ )
+ assert isinstance(credentials, service_account.Credentials)
+ assert project_id == SERVICE_ACCOUNT_FILE_DATA["project_id"]
+ assert credentials.quota_project_id == "project-foo"
+
+
def test_load_credentials_from_file_service_account_bad_format(tmpdir):
filename = tmpdir.join("serivce_account_bad.json")
filename.write(json.dumps({"type": "service_account"}))
@@ -470,6 +479,18 @@
return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id),
autospec=True,
)
+def test_default_quota_project(with_quota_project):
+ credentials, project_id = _default.default(quota_project_id="project-foo")
+
+ MOCK_CREDENTIALS.with_quota_project.assert_called_once_with("project-foo")
+ assert project_id == mock.sentinel.project_id
+
+
+@mock.patch(
+ "google.auth._default._get_explicit_environ_credentials",
+ return_value=(MOCK_CREDENTIALS, mock.sentinel.project_id),
+ autospec=True,
+)
def test_default_no_app_engine_compute_engine_module(unused_get):
"""
google.auth.compute_engine and google.auth.app_engine are both optional