fix: apply quota project for compute cred in adc (#1177)

* fix: apply quota project for compute cred in adc * update secret
googleapis · Nov 7, 2022 · b9aa92a · b9aa92a
1 parent e9e76d1
commit b9aa92a
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 3 deletions.
diff --git a/google/auth/_default.py b/google/auth/_default.py
@@ -267,7 +267,7 @@ def _get_gae_credentials():
         return None, None
 
 
-def _get_gce_credentials(request=None):
+def _get_gce_credentials(request=None, quota_project_id=None):
     """Gets credentials and project ID from the GCE Metadata Service."""
     # Ping requires a transport, but we want application default credentials
     # to require no arguments. So, we'll use the _http_client transport which
@@ -293,7 +293,10 @@ def _get_gce_credentials(request=None):
         except exceptions.TransportError:
             project_id = None
 
-        return compute_engine.Credentials(), project_id
+        cred = compute_engine.Credentials()
+        cred = _apply_quota_project_id(cred, quota_project_id)
+
+        return cred, project_id
     else:
         _LOGGER.warning(
             "Authentication failed using Compute Engine authentication due to unavailable metadata server."
@@ -603,7 +606,7 @@ def default(scopes=None, request=None, quota_project_id=None, default_scopes=Non
         lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
         lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id),
         _get_gae_credentials,
-        lambda: _get_gce_credentials(request),
+        lambda: _get_gce_credentials(request, quota_project_id=quota_project_id),
     )
 
     for checker in checkers:

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/test__default.py b/tests/test__default.py
@@ -1234,3 +1234,32 @@ def test_quota_project_from_environment(get_adc_path):
     explicit_quota = "explicit_quota"
     credentials, _ = _default.default(quota_project_id=explicit_quota)
     assert credentials.quota_project_id == explicit_quota
+
+
+@mock.patch(
+    "google.auth.compute_engine._metadata.ping", return_value=True, autospec=True
+)
+@mock.patch(
+    "google.auth.compute_engine._metadata.get_project_id",
+    return_value="example-project",
+    autospec=True,
+)
+@mock.patch.dict(os.environ)
+def test_quota_gce_credentials(unused_get, unused_ping):
+    # No quota
+    credentials, project_id = _default._get_gce_credentials()
+    assert project_id == "example-project"
+    assert credentials.quota_project_id is None
+
+    # Quota from environment
+    quota_from_env = "quota_from_env"
+    os.environ[environment_vars.GOOGLE_CLOUD_QUOTA_PROJECT] = quota_from_env
+    credentials, project_id = _default._get_gce_credentials()
+    assert credentials.quota_project_id == quota_from_env
+
+    # Explicit quota
+    explicit_quota = "explicit_quota"
+    credentials, project_id = _default._get_gce_credentials(
+        quota_project_id=explicit_quota
+    )
+    assert credentials.quota_project_id == explicit_quota