From 55beaa993aaf052d8be39766afc6777c3c2a0bdd Mon Sep 17 00:00:00 2001
From: Cody Oss <6331106+codyoss@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:26:41 -0500
Subject: [PATCH] fix(auth/credentials): error on bad file name if explicitly
 set (#10018)

Only want our fall-through logic to work for ADC specified behaviour, not explicit credential options.

Fixes: #9809
---
 auth/credentials/detect.go      | 5 ++++-
 auth/credentials/detect_test.go | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/auth/credentials/detect.go b/auth/credentials/detect.go
index 5723ae94b32..cb3f44f5873 100644
--- a/auth/credentials/detect.go
+++ b/auth/credentials/detect.go
@@ -76,7 +76,10 @@ func DetectDefault(opts *DetectOptions) (*auth.Credentials, error) {
 	if opts.CredentialsJSON != nil {
 		return readCredentialsFileJSON(opts.CredentialsJSON, opts)
 	}
-	if filename := credsfile.GetFileNameFromEnv(opts.CredentialsFile); filename != "" {
+	if opts.CredentialsFile != "" {
+		return readCredentialsFile(opts.CredentialsFile, opts)
+	}
+	if filename := os.Getenv(credsfile.GoogleAppCredsEnvVar); filename != "" {
 		if creds, err := readCredentialsFile(filename, opts); err == nil {
 			return creds, err
 		}
diff --git a/auth/credentials/detect_test.go b/auth/credentials/detect_test.go
index 8219a9b2391..95661373a21 100644
--- a/auth/credentials/detect_test.go
+++ b/auth/credentials/detect_test.go
@@ -688,6 +688,15 @@ func TestDefaultCredentials_BadFiletype(t *testing.T) {
 	}
 }
 
+func TestDefaultCredentials_BadFileName(t *testing.T) {
+	if _, err := DetectDefault(&DetectOptions{
+		CredentialsFile: "a/bad/filepath",
+		Scopes:          []string{"https://www.googleapis.com/auth/cloud-platform"},
+	}); err == nil {
+		t.Fatal("got nil, want non-nil err")
+	}
+}
+
 func TestDefaultCredentials_Validate(t *testing.T) {
 	tests := []struct {
 		name string