googleapis · sqrrrl · Feb 1, 2019 · Feb 1, 2019 · Mar 29, 2019 · Oct 22, 2019
diff --git a/google/auth/_default.py b/google/auth/_default.py
@@ -244,12 +244,13 @@ def default(scopes=None, request=None):

            gcloud config set project

-    3. If the application is running in the `App Engine standard environment`_
-       then the credentials and project ID from the `App Identity Service`_
-       are used.
-    4. If the application is running in `Compute Engine`_ or the
-       `App Engine flexible environment`_ then the credentials and project ID
-       are obtained from the `Metadata Service`_.
+    3. If the application is running in the `App Engine standard first
+       generation environment`_ then the credentials and project ID from the
+       `App Identity Service`_ are used.
+    4. If the application is running in `Compute Engine`_, the `App Engine
+       standard second generation environment`_, or the `App Engine flexible
+       environment`_ then the credentials and project ID are obtained from the
+       `Metadata Service`_.
    5. If no credentials are found,
       :class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.


diff --git a/google/auth/compute_engine/_metadata.py b/google/auth/compute_engine/_metadata.py
@@ -201,7 +201,8 @@ def get_service_account_info(request, service_account="default"):
    )


-def get_service_account_token(request, service_account="default"):
+def get_service_account_token(request, service_account='default',
+                              scopes=None):
    """Get the OAuth 2.0 access token for a service account.

    Args:
@@ -210,6 +211,8 @@ def get_service_account_token(request, service_account="default"):
        service_account (str): The string 'default' or a service account email
            address. The determines which service account for which to acquire
            an access token.
+        scopes (Sequence[str]): A list of OAuth scopes the token should contain.
+            Defaults to cloud-platform if not provided.

    Returns:
        Union[str, datetime]: The access token and its expiration.
@@ -218,9 +221,11 @@ def get_service_account_token(request, service_account="default"):
        google.auth.exceptions.TransportError: if an error occurred while
            retrieving metadata.
    """
-    token_json = get(
-        request, "instance/service-accounts/{0}/token".format(service_account)
-    )
+    path = 'instance/service-accounts/{0}/token'.format(urlparse.quote(service_account))
+    if scopes is not None:
+        query = urlparse.urlencode({'scopes': ",".join(scopes)})
+        path = '{0}?{1}'.format(path, query)
+    token_json = get(request, path)
    token_expiry = _helpers.utcnow() + datetime.timedelta(
        seconds=token_json["expires_in"]
    )

diff --git a/google/auth/compute_engine/credentials.py b/google/auth/compute_engine/credentials.py
@@ -32,7 +32,7 @@
 from google.oauth2 import _client


-class Credentials(credentials.ReadOnlyScoped, credentials.Credentials):
+class Credentials(credentials.Scoped, credentials.Credentials):
    """Compute Engine Credentials.

    These credentials use the Google Compute Engine metadata server to obtain
@@ -42,27 +42,22 @@ class Credentials(credentials.ReadOnlyScoped, credentials.Credentials):
    to configure scopes, see the `Compute Engine authentication
    documentation`_.

-    .. note:: Compute Engine instances can be created with scopes and therefore
-        these credentials are considered to be 'scoped'. However, you can
-        not use :meth:`~google.auth.credentials.ScopedCredentials.with_scopes`
-        because it is not possible to change the scopes that the instance
-        has. Also note that
-        :meth:`~google.auth.credentials.ScopedCredentials.has_scopes` will not
-        work until the credentials have been refreshed.
-
    .. _Compute Engine authentication documentation:
        https://cloud.google.com/compute/docs/authentication#using
    """

-    def __init__(self, service_account_email="default"):
+    def __init__(self, service_account_email="default", scopes=None):
        """
        Args:
            service_account_email (str): The service account email to use, or
                'default'. A Compute Engine instance may have multiple service
                accounts.
+            scopes (Sequence[str]): Scopes to request from the metadata service. Only valid
+                for App Engine, Cloud Run, and Cloud Functions. Ignored on GCE instances.
        """
        super(Credentials, self).__init__()
        self._service_account_email = service_account_email
+        self._requested_scopes = scopes

    def _retrieve_info(self, request):
        """Retrieve information about the service account.
@@ -78,7 +73,10 @@ def _retrieve_info(self, request):
        )

        self._service_account_email = info["email"]
-        self._scopes = info["scopes"]
+        if not self._requested_scopes:
+            self._scopes = info["scopes"]
+        else:
+            self._scopes = self._requested_scopes

    def refresh(self, request):
        """Refresh the access token and scopes.
@@ -95,8 +93,9 @@ def refresh(self, request):
        try:
            self._retrieve_info(request)
            self.token, self.expiry = _metadata.get_service_account_token(
-                request, service_account=self._service_account_email
-            )
+                request,
+                service_account=self._service_account_email,
+                scopes=self._requested_scopes)
        except exceptions.TransportError as caught_exc:
            new_exc = exceptions.RefreshError(caught_exc)
            six.raise_from(new_exc, caught_exc)
@@ -112,9 +111,19 @@ def service_account_email(self):

    @property
    def requires_scopes(self):
-        """False: Compute Engine credentials can not be scoped."""
+        """Compute Engine can be scoped by providing scopes to the metadata
+        service, but have default scopes.
+
+        Returns:
+            bool: Always False for this credential type
+        """
        return False

+    @_helpers.copy_docstring(credentials.Scoped)
+    def with_scopes(self, scopes):
+        return self.__class__(
+            scopes=scopes, service_account_email=self._service_account_email)
+

 _DEFAULT_TOKEN_LIFETIME_SECS = 3600  # 1 hour in seconds
 _DEFAULT_TOKEN_URI = "https://www.googleapis.com/oauth2/v4/token"

diff --git a/tests/compute_engine/test__metadata.py b/tests/compute_engine/test__metadata.py
@@ -202,6 +202,25 @@ def test_get_service_account_token(utcnow):
    assert expiry == utcnow() + datetime.timedelta(seconds=ttl)


+@mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+def test_get_service_account_token_with_scopes(utcnow):
+    ttl = 500
+    request = make_request(
+        json.dumps({"access_token": "token", "expires_in": ttl}),
+        headers={"content-type": "application/json"},
+    )
+
+    token, expiry = _metadata.get_service_account_token(request, scopes=("one", "two"))
+
+    request.assert_called_once_with(
+        method="GET",
+        url=_metadata._METADATA_ROOT + PATH + "/token?scopes=one%2Ctwo",
+        headers=_metadata._METADATA_HEADERS,
+    )
+    assert token == "token"
+    assert expiry == utcnow() + datetime.timedelta(seconds=ttl)
+
+
 def test_get_service_account_info():
    key, value = "foo", "bar"
    request = make_request(

diff --git a/tests/compute_engine/test_credentials.py b/tests/compute_engine/test_credentials.py
@@ -74,6 +74,47 @@ def test_refresh_success(self, get, utcnow):
        # expired)
        assert self.credentials.valid

+    @mock.patch(
+        "google.auth._helpers.utcnow",
+        return_value=datetime.datetime.min + _helpers.CLOCK_SKEW,
+    )
+    @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
+    def test_with_scopes(self, get, utcnow):
+        get.side_effect = [
+            {
+                # First request is for sevice account info.
+                "email": "service-account@example.com",
+                "scopes": ["one", "two"],
+            },
+            {
+                # Second request is for the token.
+                "access_token": "token",
+                "expires_in": 500,
+            },
+        ]
+
+        # Refresh credentials
+        credentials = self.credentials.with_scopes(("new_scope_one", "new_scope_two"))
+        credentials.refresh(None)
+
+        # Check that scopes are passed to metadata service
+        expected_path = (
+            "instance/service-accounts/service-account%40example.com/token"
+            "?scopes=new_scope_one%2Cnew_scope_two")
+        get.assert_called_with(None, expected_path)
+
+        # Check that the credentials have the token and proper expiration
+        assert credentials.token == "token"
+        assert credentials.expiry == (utcnow() + datetime.timedelta(seconds=500))
+
+        # Check the credential info
+        assert credentials.service_account_email == "service-account@example.com"
+        assert credentials._scopes == ("new_scope_one", "new_scope_two")
+
+        # Check that the credentials are valid (have a token and are not
+        # expired)
+        assert credentials.valid
+
    @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
    def test_refresh_error(self, get):
        get.side_effect = exceptions.TransportError("http error")