fix: remove unnecessary call to mds service (#1769)

harkamaljot · web-flow · commit 7c61c7d0a42c · 2025-05-23T21:37:19.000Z
diff --git a/google/auth/compute_engine/credentials.py b/google/auth/compute_engine/credentials.py
@@ -87,25 +87,6 @@ def __init__(
             self._universe_domain = universe_domain
             self._universe_domain_cached = True
 
-    def _retrieve_info(self, request):
-        """Retrieve information about the service account.
-
-        Updates the scopes and retrieves the full service account email.
-
-        Args:
-            request (google.auth.transport.Request): The object used to make
-                HTTP requests.
-        """
-        info = _metadata.get_service_account_info(
-            request, service_account=self._service_account_email
-        )
-
-        self._service_account_email = info["email"]
-
-        # Don't override scopes requested by the user.
-        if self._scopes is None:
-            self._scopes = info["scopes"]
-
     def _metric_header_for_usage(self):
         return metrics.CRED_TYPE_SA_MDS
 
@@ -123,7 +104,6 @@ def refresh(self, request):
         """
         scopes = self._scopes if self._scopes is not None else self._default_scopes
         try:
-            self._retrieve_info(request)
             self.token, self.expiry = _metadata.get_service_account_token(
                 request, service_account=self._service_account_email, scopes=scopes
             )
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/system_tests/system_tests_sync/test_compute_engine.py b/system_tests/system_tests_sync/test_compute_engine.py
@@ -35,17 +35,15 @@ def check_gce_environment(http_request):
         pytest.skip("Compute Engine metadata service is not available.")
 
 
-def test_refresh(http_request, token_info):
+def test_refresh(http_request):
     credentials = compute_engine.Credentials()
 
     credentials.refresh(http_request)
 
     assert credentials.token is not None
     assert credentials.service_account_email is not None
 
-    info = token_info(credentials.token)
-    info_scopes = _helpers.string_to_scopes(info["scope"])
-    assert set(info_scopes) == set(credentials.scopes)
+    assert credentials.scopes is None
 
 
 def test_default(verify_refresh):
diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
@@ -99,18 +99,7 @@ def test_default_state(self):
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_success(self, get, utcnow):
-        get.side_effect = [
-            {
-                # First request is for sevice account info.
-                "email": "service-account@example.com",
-                "scopes": ["one", "two"],
-            },
-            {
-                # Second request is for the token.
-                "access_token": "token",
-                "expires_in": 500,
-            },
-        ]
+        get.side_effect = [{"access_token": "token", "expires_in": 500}]
 
         # Refresh credentials
         self.credentials.refresh(None)
@@ -120,8 +109,8 @@ def test_refresh_success(self, get, utcnow):
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "service-account@example.com"
-        assert self.credentials._scopes == ["one", "two"]
+        assert self.credentials.service_account_email == "default"
+        assert self.credentials._scopes is None
 
         # Check that the credentials are valid (have a token and are not
         # expired)
@@ -137,18 +126,7 @@ def test_refresh_success(self, get, utcnow):
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_value):
-        get.side_effect = [
-            {
-                # First request is for sevice account info.
-                "email": "service-account@example.com",
-                "scopes": ["one", "two"],
-            },
-            {
-                # Second request is for the token.
-                "access_token": "token",
-                "expires_in": 500,
-            },
-        ]
+        get.side_effect = [{"access_token": "token", "expires_in": 500}]
 
         # Refresh credentials
         scopes = ["three", "four"]
@@ -160,7 +138,7 @@ def test_refresh_success_with_scopes(self, get, utcnow, mock_metrics_header_valu
         assert self.credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
 
         # Check the credential info
-        assert self.credentials.service_account_email == "service-account@example.com"
+        assert self.credentials.service_account_email == "default"
         assert self.credentials._scopes == scopes
 
         # Check that the credentials are valid (have a token and are not
@@ -184,18 +162,7 @@ def test_refresh_error(self, get):
 
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     def test_before_request_refreshes(self, get):
-        get.side_effect = [
-            {
-                # First request is for sevice account info.
-                "email": "service-account@example.com",
-                "scopes": "one two",
-            },
-            {
-                # Second request is for the token.
-                "access_token": "token",
-                "expires_in": 500,
-            },
-        ]
+        get.side_effect = [{"access_token": "token", "expires_in": 500}]
 
         # Credentials should start as invalid
         assert not self.credentials.valid
@@ -473,20 +440,6 @@ def test_with_target_audience_integration(self):
         have been mocked.
         """
 
-        # mock information about credentials
-        responses.add(
-            responses.GET,
-            "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/default/?recursive=true",
-            status=200,
-            content_type="application/json",
-            json={
-                "scopes": "email",
-                "email": "service-account@example.com",
-                "aliases": ["default"],
-            },
-        )
-
         # mock information about universe_domain
         responses.add(
             responses.GET,
@@ -501,7 +454,7 @@ def test_with_target_audience_integration(self):
         responses.add(
             responses.GET,
             "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/service-account@example.com/token",
+            "service-accounts/default/token",
             status=200,
             content_type="application/json",
             json={
@@ -641,25 +594,11 @@ def test_with_quota_project_integration(self):
         have been mocked.
         """
 
-        # mock information about credentials
-        responses.add(
-            responses.GET,
-            "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/default/?recursive=true",
-            status=200,
-            content_type="application/json",
-            json={
-                "scopes": "email",
-                "email": "service-account@example.com",
-                "aliases": ["default"],
-            },
-        )
-
         # mock token for credentials
         responses.add(
             responses.GET,
             "http://metadata.google.internal/computeMetadata/v1/instance/"
-            "service-accounts/service-account@example.com/token",
+            "service-accounts/default/token",
             status=200,
             content_type="application/json",
             json={
