fix: Skip checking projectid on cred if env var is set (#1349)

* fix: Skip checking projectid on cred if env var is set * add test for legacy project --------- Co-authored-by: Carl Lundin <108372512+clundin25@users.noreply.github.com>

Author: sai-sunder-s

google/auth/_default.py

@@ -660,24 +660,25 @@ def default(scopes=None, request=None, quota_project_id=None, default_scopes=Non
  credentials, scopes, default_scopes=default_scopes
  )
 
+ effective_project_id = explicit_project_id or project_id
+
  # For external account credentials, scopes are required to determine
  # the project ID. Try to get the project ID again if not yet
  # determined.
- if not project_id and callable(
+ if not effective_project_id and callable(
  getattr(credentials, "get_project_id", None)
  ):
  if request is None:
  import google.auth.transport.requests
 
  request = google.auth.transport.requests.Request()
- project_id = credentials.get_project_id(request=request)
+ effective_project_id = credentials.get_project_id(request=request)
 
  if quota_project_id and isinstance(
  credentials, CredentialsWithQuotaProject
  ):
  credentials = credentials.with_quota_project(quota_project_id)
 
- effective_project_id = explicit_project_id or project_id
  if not effective_project_id:
  _LOGGER.warning(
  "No project ID could be determined. Consider running "

tests/test__default.py

@@ -1030,6 +1030,61 @@ def test_default_environ_external_credentials_identity_pool_impersonated(
  assert project_id is mock.sentinel.project_id
  assert credentials.scopes == ["https://www.google.com/calendar/feeds"]
 
+ # The credential.get_project_id should have been used in _get_external_account_credentials and default
+ assert get_project_id.call_count == 2
+
+
+@EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
+@mock.patch.dict(os.environ)
+def test_default_environ_external_credentials_project_from_env(
+ get_project_id, monkeypatch, tmpdir
+):
+ project_from_env = "project_from_env"
+ os.environ[environment_vars.PROJECT] = project_from_env
+
+ config_file = tmpdir.join("config.json")
+ config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA))
+ monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file))
+
+ credentials, project_id = _default.default(
+ scopes=["https://www.google.com/calendar/feeds"]
+ )
+
+ assert isinstance(credentials, identity_pool.Credentials)
+ assert not credentials.is_user
+ assert not credentials.is_workforce_pool
+ assert project_id == project_from_env
+ assert credentials.scopes == ["https://www.google.com/calendar/feeds"]
+
+ # The credential.get_project_id should have been used only in _get_external_account_credentials
+ assert get_project_id.call_count == 1
+
+
+@EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
+@mock.patch.dict(os.environ)
+def test_default_environ_external_credentials_legacy_project_from_env(
+ get_project_id, monkeypatch, tmpdir
+):
+ project_from_env = "project_from_env"
+ os.environ[environment_vars.LEGACY_PROJECT] = project_from_env
+
+ config_file = tmpdir.join("config.json")
+ config_file.write(json.dumps(IMPERSONATED_IDENTITY_POOL_DATA))
+ monkeypatch.setenv(environment_vars.CREDENTIALS, str(config_file))
+
+ credentials, project_id = _default.default(
+ scopes=["https://www.google.com/calendar/feeds"]
+ )
+
+ assert isinstance(credentials, identity_pool.Credentials)
+ assert not credentials.is_user
+ assert not credentials.is_workforce_pool
+ assert project_id == project_from_env
+ assert credentials.scopes == ["https://www.google.com/calendar/feeds"]
+
+ # The credential.get_project_id should have been used only in _get_external_account_credentials
+ assert get_project_id.call_count == 1
+
 
 @EXTERNAL_ACCOUNT_GET_PROJECT_ID_PATCH
 def test_default_environ_external_credentials_aws_impersonated(