Python google.auth() Examples

def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 

def _validate(self):
        if not HAS_REQUESTS:
            self.module.fail_json(msg="Please install the requests library")

        if not HAS_GOOGLE_LIBRARIES:
            self.module.fail_json(msg="Please install the google-auth library")

        if self.module.params.get('service_account_email') is not None and self.module.params['auth_kind'] != 'machineaccount':
            self.module.fail_json(
                msg="Service Account Email only works with Machine Account-based authentication"
            )

        if (self.module.params.get('service_account_file') is not None or
                self.module.params.get('service_account_contents') is not None) and self.module.params['auth_kind'] != 'serviceaccount':
            self.module.fail_json(
                msg="Service Account File only works with Service Account-based authentication"
            ) 

def _credentials(self):
        cred_type = self.module.params['auth_kind']
        if cred_type == 'application':
            credentials, project_id = google.auth.default(scopes=self.module.params['scopes'])
            return credentials
        elif cred_type == 'serviceaccount' and self.module.params.get('service_account_file'):
            path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
            return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
        elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
            try:
                cred = json.loads(self.module.params.get('service_account_contents'))
            except json.decoder.JSONDecodeError as e:
                self.module.fail_json(
                    msg="Unable to decode service_account_contents as JSON"
                )
            return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
        elif cred_type == 'machineaccount':
            return google.auth.compute_engine.Credentials(
                self.module.params['service_account_email'])
        else:
            self.module.fail_json(msg="Credential type '%s' not implemented" % cred_type) 

def retry_auth_check(exception, verbose):
  """Specific check for auth error codes.

  Return True if we should retry.

  False otherwise.
  Args:
    exception: An exception to test for transience.
    verbose: If true, output retry messages

  Returns:
    True if we should retry. False otherwise.
  """
  if isinstance(exception, googleapiclient.errors.HttpError):
    if exception.resp.status in HTTP_AUTH_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  return False 

def setup_service(api_name, api_version, credentials=None):
  """Configures genomics API client.

  Args:
    api_name: Name of the Google API (for example: "genomics")
    api_version: Version of the API (for example: "v2alpha1")
    credentials: Credentials to be used for the gcloud API calls.

  Returns:
    A configured Google Genomics API client with appropriate credentials.
  """
  # dsub is not a server application, so it is ok to filter this warning.
  warnings.filterwarnings(
      'ignore', 'Your application has authenticated using end user credentials')
  if not credentials:
    credentials, _ = google.auth.default()
  return googleapiclient.discovery.build(
      api_name, api_version, credentials=credentials) 

def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 

def test_default_creds_with_scopes(self):
        self.instance.extras = {
            'extra__google_cloud_platform__project': default_project,
            'extra__google_cloud_platform__scope': (
                ','.join(
                    (
                        'https://www.googleapis.com/auth/bigquery',
                        'https://www.googleapis.com/auth/devstorage.read_only',
                    )
                )
            ),
        }

        credentials = self.instance._get_credentials()

        if not hasattr(credentials, 'scopes') or credentials.scopes is None:
            # Some default credentials don't have any scopes associated with
            # them, and that's okay.
            return

        scopes = credentials.scopes
        self.assertIn('https://www.googleapis.com/auth/bigquery', scopes)
        self.assertIn(
            'https://www.googleapis.com/auth/devstorage.read_only', scopes) 

def test_provided_scopes(self):
        self.instance.extras = {
            'extra__google_cloud_platform__project': default_project,
            'extra__google_cloud_platform__scope': (
                ','.join(
                    (
                        'https://www.googleapis.com/auth/bigquery',
                        'https://www.googleapis.com/auth/devstorage.read_only',
                    )
                )
            ),
        }

        self.assertEqual(
            self.instance.scopes,
            [
                'https://www.googleapis.com/auth/bigquery',
                'https://www.googleapis.com/auth/devstorage.read_only',
            ],
        ) 

def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.
    from google.auth import compute_engine
    from google.auth.compute_engine import _metadata

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def test_grpc_request_with_regular_credentials(http_request):
    credentials, project_id = google.auth.default()
    credentials = google.auth.credentials.with_scopes_if_required(
        credentials, ["https://www.googleapis.com/auth/pubsub"]
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 

def test_grpc_request_with_jwt_credentials():
    credentials, project_id = google.auth.default()
    audience = "https://pubsub.googleapis.com/google.pubsub.v1.Publisher"
    credentials = google.auth.jwt.Credentials.from_signing_credentials(
        credentials, audience=audience
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 

def test_grpc_request_with_on_demand_jwt_credentials():
    credentials, project_id = google.auth.default()
    credentials = google.auth.jwt.OnDemandCredentials.from_signing_credentials(
        credentials
    )

    transport = publisher_grpc_transport.PublisherGrpcTransport(
        address=publisher_client.PublisherClient.SERVICE_ADDRESS,
        credentials=credentials,
    )

    # Create a pub/sub client.
    client = pubsub_v1.PublisherClient(transport=transport)

    # list the topics and drain the iterator to test that an authorized API
    # call works.
    list_topics_iter = client.list_topics(project="projects/{}".format(project_id))
    list(list_topics_iter) 

def with_scopes(credentials, scopes):
    """Scopes the credentials if necessary.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to scope.
        scopes (Sequence[str]): The list of scopes.

    Returns:
        Union[google.auth.credentials.Credentials,
            oauth2client.client.Credentials]: The scoped credentials.
    """
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return google.auth.credentials.with_scopes_if_required(
            credentials, scopes)
    else:
        try:
            if credentials.create_scoped_required():
                return credentials.create_scoped(scopes)
            else:
                return credentials
        except AttributeError:
            return credentials 

def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 

def test_client_library_query_bqstorage():
    # [START bigquery_migration_client_library_query_bqstorage]
    import google.auth
    from google.cloud import bigquery
    from google.cloud import bigquery_storage_v1beta1

    # Create a BigQuery client and a BigQuery Storage API client with the same
    # credentials to avoid authenticating twice.
    credentials, project_id = google.auth.default(
        scopes=["https://www.googleapis.com/auth/cloud-platform"]
    )
    client = bigquery.Client(credentials=credentials, project=project_id)
    bqstorage_client = bigquery_storage_v1beta1.BigQueryStorageClient(
        credentials=credentials
    )
    sql = "SELECT * FROM `bigquery-public-data.irs_990.irs_990_2012`"

    # Use a BigQuery Storage API client to download results more quickly.
    df = client.query(sql).to_dataframe(bqstorage_client=bqstorage_client)
    # [END bigquery_migration_client_library_query_bqstorage]
    assert len(df) > 0 

def clients():
    # [START bigquerystorage_pandas_tutorial_all]
    # [START bigquerystorage_pandas_tutorial_create_client]
    import google.auth
    from google.cloud import bigquery
    from google.cloud import bigquery_storage_v1beta1

    # Explicitly create a credentials object. This allows you to use the same
    # credentials for both the BigQuery and BigQuery Storage clients, avoiding
    # unnecessary API calls to fetch duplicate authentication tokens.
    credentials, your_project_id = google.auth.default(
        scopes=["https://www.googleapis.com/auth/cloud-platform"]
    )

    # Make clients.
    bqclient = bigquery.Client(
        credentials=credentials,
        project=your_project_id,
    )
    bqstorageclient = bigquery_storage_v1beta1.BigQueryStorageClient(
        credentials=credentials
    )
    # [END bigquerystorage_pandas_tutorial_create_client]
    # [END bigquerystorage_pandas_tutorial_all]
    return bqclient, bqstorageclient 

def implicit():
    import google.auth
    from google.auth.transport import requests

    # Get the credentials and project ID from the environment.
    credentials, project = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])

    # Create a requests Session object with the credentials.
    session = requests.AuthorizedSession(credentials)

    # Make an authenticated API request
    response = session.get(
        'https://www.googleapis.com/storage/v1/b'.format(project),
        params={'project': project})
    response.raise_for_status()
    buckets = response.json()
    print(buckets)
# [END auth_http_implicit]


# [START auth_http_explicit] 

def explicit(project):
    from google.auth.transport import requests
    from google.oauth2 import service_account

    # Construct service account credentials using the service account key
    # file.
    credentials = service_account.Credentials.from_service_account_file(
        'service_account.json')
    credentials = credentials.with_scopes(
        ['https://www.googleapis.com/auth/cloud-platform'])

    # Create a requests Session object with the credentials.
    session = requests.AuthorizedSession(credentials)

    # Make an authenticated API request
    response = session.get(
        'https://www.googleapis.com/storage/v1/b'.format(project),
        params={'project': project})
    response.raise_for_status()
    buckets = response.json()
    print(buckets)
# [END auth_http_explicit] 

def _get_gcloud_sdk_credentials():
    """Gets the credentials and project ID from the Cloud SDK."""
    from google.auth import _cloud_sdk

    # Check if application default credentials exist.
    credentials_filename = (
        _cloud_sdk.get_application_default_credentials_path())

    if not os.path.isfile(credentials_filename):
        return None, None

    credentials, project_id = _load_credentials_from_file(
        credentials_filename)

    if not project_id:
        project_id = _cloud_sdk.get_project_id()

    return credentials, project_id 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.
    from google.auth import compute_engine
    from google.auth.compute_engine import _metadata

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def credentials(self):
        """google.auth.credentials.Credentials: Credentials to use for queries
        performed through IPython magics

        Note:
            These credentials do not need to be explicitly defined if you are
            using Application Default Credentials. If you are not using
            Application Default Credentials, manually construct a
            :class:`google.auth.credentials.Credentials` object and set it as
            the context credentials as demonstrated in the example below. See
            `auth docs`_ for more information on obtaining credentials.

        Example:
            Manually setting the context credentials:

            >>> from google.cloud.bigquery import magics
            >>> from google.oauth2 import service_account
            >>> credentials = (service_account
            ...     .Credentials.from_service_account_file(
            ...         '/path/to/key.json'))
            >>> magics.context.credentials = credentials


        .. _auth docs: http://google-auth.readthedocs.io
            /en/latest/user-guide.html#obtaining-credentials
        """
        if self._credentials is None:
            self._credentials, _ = google.auth.default()
        return self._credentials 

def setup_auth(self, project_id=None, service_account_json_file=None):
    """Sets up authentication with Google APIs.

    This will use the credentials from service_account_json_file if provided,
    falling back to application default credentials. See
    https://cloud.google.com/docs/authentication/production.

    Args:
      project_id: A string specifying the GCP project ID (e.g. my-project). If
        not provided, will attempt to retrieve it from the credentials.
      service_account_json_file: A string specifying the path to a service
        account json file. If not provided, will default to application default
        credentials.

    Returns:
      A string representing the project ID.
    """
    if service_account_json_file:
      self._credentials = (
          service_account.Credentials.from_service_account_file(
              service_account_json_file, scopes=_SCOPE))
      if not project_id:
        with open(service_account_json_file) as f:
          project_id = json.load(f).get('project_id')
    else:
      self._credentials, credentials_project_id = google.auth.default(
          scopes=_SCOPE)
      project_id = project_id or credentials_project_id
    return project_id 

def load_kube_config() -> Tuple[bool, Exception]:
	"""
	Loads the user's kube-config

	:return: ((bool) whether or not exception ocurred while loading config,
			  (Exception) exception if google auth error thrown, or (str) "" if no google exception)
	"""

	try:
		config.load_kube_config()
	except google.auth.exceptions.RefreshError as e:
		return (False, e)
	else:
		return (True, "") 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def make_channel(self):
        """Creates a secure channel."""

        request = google.auth.transport.requests.Request()
        target = self._api_host + ':443'

        if not self._checked:
            # Refresh now, to catch any errors early. Otherwise, they'll be
            # raised and swallowed somewhere inside gRPC.
            self._credentials.refresh(request)
            self._checked = True

        return google.auth.transport.grpc.secure_authorized_channel(
            self._credentials, request, target) 

def do_request(self):
        """Establishes a connection and starts sending audio to the cloud
        endpoint. Responses are handled by the subclass until one returns a
        result.

        Returns:
            namedtuple with the following fields:
                transcript: string with transcript of user query
                response_audio: optionally, an audio response from the server

        Raises speech.Error on error.
        """
        try:
            service = self._make_service(self._channel_factory.make_channel())

            response_stream = self._create_response_stream(
                service, self._request_stream(), self.DEADLINE_SECS)

            if self._audio_logging_enabled:
                self._start_logging_request()

            return self._handle_response_stream(response_stream)
        except (
                google.auth.exceptions.GoogleAuthError,
                grpc.RpcError,
        ) as exc:
            raise Error('Exception in speech request') from exc 

def __init__(self, credentials_file):
        os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credentials_file
        credentials, _ = google.auth.default(scopes=[self.SCOPE])

        super().__init__('speech.googleapis.com', credentials)

        self.language_code = aiy.i18n.get_language_code()

        if not hasattr(cloud_speech, 'StreamingRecognizeRequest'):
            raise ValueError("cloud_speech_pb2.py doesn't have StreamingRecognizeRequest.")

        self._transcript = None 

def make_channel(self):
        """Creates a secure channel."""

        request = google.auth.transport.requests.Request()
        target = self._api_host + ':443'

        if not self._checked:
            # Refresh now, to catch any errors early. Otherwise, they'll be
            # raised and swallowed somewhere inside gRPC.
            self._credentials.refresh(request)
            self._checked = True

        return google.auth.transport.grpc.secure_authorized_channel(
            self._credentials, request, target) 

def do_request(self):
        """Establishes a connection and starts sending audio to the cloud
        endpoint. Responses are handled by the subclass until one returns a
        result.

        Returns:
            namedtuple with the following fields:
                transcript: string with transcript of user query
                response_audio: optionally, an audio response from the server

        Raises speech.Error on error.
        """
        try:
            service = self._make_service(self._channel_factory.make_channel())

            response_stream = self._create_response_stream(
                service, self._request_stream(), self.DEADLINE_SECS)

            if self._audio_logging_enabled:
                self._start_logging_request()

            return self._handle_response_stream(response_stream)
        except (
                google.auth.exceptions.GoogleAuthError,
                grpc.RpcError,
        ) as exc:
            raise Error('Exception in speech request') from exc 

def evaluate(self):
        credentials, project = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
        authed_session = AuthorizedSession(credentials)
        basename="https://automl.googleapis.com/v1beta1/"
        cmd = basename + self.operation_name
        response=authed_session.get(cmd)
        result=json.loads(response.content)
        self.ctx.log("Operation name: {}".format(result["name"]))
     
        if (("done" in result.keys()) and result["done"]): 
            self.ctx.log("Model training complete.")
            self.model_name = result["response"]["name"]
            self.ctx.log("Model full name: {}".format(self.model_name))   
            self.ctx.config['google'].yaml['model_name'] = self.model_name
            self.ctx.config['google'].write()  
            response = self.client.list_model_evaluations(self.model_name)
            self.ctx.log("List of model evaluations:")
            for evaluation in response:
                self.ctx.log("Model evaluation name: {}".format(evaluation.name))
                self.ctx.log("Model evaluation id: {}".format(evaluation.name.split("/")[-1]))
                self.ctx.log("Model evaluation example count: {}".format(
                    evaluation.evaluated_example_count))
                self.ctx.log("Model evaluation time: {} seconds".format(evaluation.create_time.seconds))
                self.ctx.log("Full model evaluation: {}".format(inspect.getmembers(evaluation) ))
                self.ctx.log("\n")
        else:
            self.ctx.log("Model still training...") 

def _patch_appengine_modules_for_bots():
  """Patch out App Engine reliant behaviour from bots."""
  if os.getenv('SERVER_SOFTWARE'):
    # Not applicable on App Engine.
    return

  # google.auth uses App Engine credentials based on importability of
  # google.appengine.api.app_identity.
  try:
    from google.auth import app_engine as auth_app_engine
    if auth_app_engine.app_identity:
      auth_app_engine.app_identity = None
  except ImportError:
    pass 

def get_google_open_id_connect_token(service_account_credentials):
  """
  Get an OpenID Connect token issued by Google for the service account.
  This function:
    1. Generates a JWT signed with the service account's private key containing
       a special "target_audience" claim.
    2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1 has a
       target_audience claim, that endpoint will respond with an OpenID Connect
       token for the service account -- in other words, a JWT signed by
       *Google*. The aud claim in this JWT will be set to the value from the
       target_audience claim in #1.
  For more information, see
  https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
  The HTTP/REST example on that page describes the JWT structure and
  demonstrates how to call the token endpoint. (The example on that page shows
  how to get an OAuth2 access token; this code is using a modified version of it
  to get an OpenID Connect token.)
  """

  service_account_jwt = (
      service_account_credentials._make_authorization_grant_assertion())
  request = google.auth.transport.requests.Request()
  body = {
      'assertion': service_account_jwt,
      'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
  }
  token_response = google.oauth2._client._token_endpoint_request(
      request, OAUTH_TOKEN_URI, body)
  return token_response['id_token'] 

def receive_messages():
    """Receives messages from a pull subscription."""

    scopes = ['https://www.googleapis.com/auth/chat.bot']
    credentials, project_id = google.auth.default()
    credentials = credentials.with_scopes(scopes=scopes)
    chat = build('chat', 'v1', credentials=credentials)

    subscription_id = os.environ.get('SUBSCRIPTION_ID')
    subscriber = pubsub_v1.SubscriberClient()
    subscription_path = subscriber.subscription_path(
        project_id, subscription_id)

    def callback(message):
        logging.info('Received message: %s', message.data)

        event = json.loads(message.data)
        space_name = event['space']['name']

        # If the bot was removed, we don't need to return a response.
        if event['type'] == 'REMOVED_FROM_SPACE':
            logging.info('Bot removed rom space %s', space_name)
            return

        response = format_response(event)

        # Send the asynchronous response back to Hangouts Chat
        chat.spaces().messages().create(
            parent=space_name,
            body=response).execute()
        message.ack()

    subscriber.subscribe(subscription_path, callback=callback)
    logging.info('Listening for messages on %s', subscription_path)

    # Keep main thread from exiting while waiting for messages
    while True:
        time.sleep(60) 

def credentials(self):
    if not self.__credentials:
      warnings.filterwarnings("ignore",
                              "Your application has authenticated using end user credentials")
      if self.gcr_key_file:
        logging.debug('Using key file: %s' % self.gcr_key_file)
        self.__credentials = service_account.Credentials.from_service_account_file(
            self.gcr_key_file,
            scopes=['https://www.googleapis.com/auth/devstorage.read_write'])
      else:
        logging.debug('Using default credentials')
        self.__credentials, project = google.auth.default(
            scopes=['https://www.googleapis.com/auth/devstorage.read_write'])
    return self.__credentials 

def token(self):
    self.credentials().refresh(google.auth.transport.requests.Request())
    return self.credentials().token 

def test_default_scopes(self):
        self.instance.extras = {'extra__google_cloud_platform__project': default_project}

        self.assertEqual(self.instance.scopes, ('https://www.googleapis.com/auth/cloud-platform',)) 

def _get_credentials(self) -> google.auth.credentials.Credentials:
        """
        Returns the Credentials object for Google API
        """
        credentials, _ = self._get_credentials_and_project_id()
        return credentials 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    from google.auth import app_engine

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 

def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 

def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 

def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    if not is_valid(credentials):
        refresh_credentials(credentials)
    return credentials.apply(headers) 

def is_valid(credentials):
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return credentials.valid
    else:
        return (
            credentials.access_token is not None and
            not credentials.access_token_expired) 

def test_default():
    credentials, project_id = google.auth.default()

    assert isinstance(credentials, app_engine.Credentials)
    assert project_id == app_identity.get_application_id() 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk

    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 

def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 

def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 

def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    return credentials.apply(headers) 

def get_gc_credentials(key_path=None, keyfile_dict=None, scopes=None):
    """
    Returns the Credentials object for Google API
    """
    key_path = key_path or get_key_path()
    keyfile_dict = keyfile_dict or get_keyfile_dict()
    scopes = scopes or get_scopes()

    if scopes is not None:
        scopes = [s.strip() for s in scopes.split(',')]
    else:
        scopes = DEFAULT_SCOPES

    if not key_path and not keyfile_dict:
        logger.info('Getting connection using `google.auth.default()` '
                    'since no key file is defined for hook.')
        credentials, _ = google.auth.default(scopes=scopes)
    elif key_path:
        # Get credentials from a JSON file.
        if key_path.endswith('.json'):
            logger.info('Getting connection using a JSON key file.')
            credentials = Credentials.from_service_account_file(
                os.path.abspath(key_path), scopes=scopes)
        else:
            raise PolyaxonStoresException('Unrecognised extension for key file.')
    else:
        # Get credentials from JSON data.
        try:
            if not isinstance(keyfile_dict, Mapping):
                keyfile_dict = json.loads(keyfile_dict)

            # Convert escaped newlines to actual newlines if any.
            keyfile_dict['private_key'] = keyfile_dict['private_key'].replace('\\n', '\n')

            credentials = Credentials.from_service_account_info(keyfile_dict, scopes=scopes)
        except ValueError:  # json.decoder.JSONDecodeError does not exist on py2
            raise PolyaxonStoresException('Invalid key JSON.')

    return credentials 

def get_google_open_id_connect_token(
        service_account_credentials: google.oauth2.credentials.Credentials):
    """Get an OpenID Connect token issued by Google for the service account.
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, _OAUTH_TOKEN_URI, body)
    return token_response['id_token'] 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    # While this library is normally bundled with app_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        import google.auth.app_engine as app_engine
    except ImportError:
        return None, None

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def _get_gce_credentials(request=None):
    """Gets credentials and project ID from the GCE Metadata Service."""
    # Ping requires a transport, but we want application default credentials
    # to require no arguments. So, we'll use the _http_client transport which
    # uses http.client. This is only acceptable because the metadata server
    # doesn't do SSL and never requires proxies.

    # While this library is normally bundled with compute_engine, there are
    # some cases where it's not available, so we tolerate ImportError.
    try:
        from google.auth import compute_engine
        from google.auth.compute_engine import _metadata
    except ImportError:
        return None, None

    if request is None:
        request = google.auth.transport._http_client.Request()

    if _metadata.ping(request=request):
        # Get the project ID.
        try:
            project_id = _metadata.get_project_id(request=request)
        except exceptions.TransportError:
            project_id = None

        return compute_engine.Credentials(), project_id
    else:
        return None, None 

def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 

def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 

def refresh_credentials(credentials):
    # Refresh must use a new http instance, as the one associated with the
    # credentials could be a AuthorizedHttp or an oauth2client-decorated
    # Http instance which would cause a weird recursive loop of refreshing
    # and likely tear a hole in spacetime.
    refresh_http = httplib2.Http()
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        request = google_auth_httplib2.Request(refresh_http)
        return credentials.refresh(request)
    else:
        return credentials.refresh(refresh_http) 

def apply_credentials(credentials, headers):
    # oauth2client and google-auth have the same interface for this.
    if not is_valid(credentials):
        refresh_credentials(credentials)
    return credentials.apply(headers) 

def is_valid(credentials):
    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        return credentials.valid
    else:
        return (
            credentials.access_token is not None and
            not credentials.access_token_expired) 

def _authenticate(self, cache_discovery):

    import google_auth_httplib2
    import googleapiclient.discovery

    scope = ['https://www.googleapis.com/auth/cloud-platform']
    if self.credentials_path:
      try:
        from google.oauth2 import service_account
        credentials = service_account.Credentials.from_service_account_file(
            self.credentials_path)
        scoped_credentials = credentials.with_scopes(scope)
      except ImportError:
        logging.error('Failed to load google.oauth2.service_account module. '
                      'If you are running this script in Google App Engine '
                      'environment, you can initialize the segmenter with '
                      'default credentials.')

    else:
      import google.auth
      scoped_credentials, _ = google.auth.default(scope)
    authed_http = google_auth_httplib2.AuthorizedHttp(scoped_credentials)
    service = googleapiclient.discovery.build(
        'language', 'v1beta2', http=authed_http,
        cache_discovery=cache_discovery)
    return service 

def mock_credentials(*args, **kwargs):
    credentials, _ = google.auth.default(
        ["https://www.googleapis.com/auth/cloud-platform"]
    )
    return credentials 

def get_client_id(project_id, location, composer_environment):
    # [START composer_get_environment_client_id]
    import google.auth
    import google.auth.transport.requests
    import requests
    import six.moves.urllib.parse

    # Authenticate with Google Cloud.
    # See: https://cloud.google.com/docs/authentication/getting-started
    credentials, _ = google.auth.default(
        scopes=['https://www.googleapis.com/auth/cloud-platform'])
    authed_session = google.auth.transport.requests.AuthorizedSession(
        credentials)

    # project_id = 'YOUR_PROJECT_ID'
    # location = 'us-central1'
    # composer_environment = 'YOUR_COMPOSER_ENVIRONMENT_NAME'

    environment_url = (
        'https://composer.googleapis.com/v1beta1/projects/{}/locations/{}'
        '/environments/{}').format(project_id, location, composer_environment)
    composer_response = authed_session.request('GET', environment_url)
    environment_data = composer_response.json()
    airflow_uri = environment_data['config']['airflowUri']

    # The Composer environment response does not include the IAP client ID.
    # Make a second, unauthenticated HTTP request to the web server to get the
    # redirect URI.
    redirect_response = requests.get(airflow_uri, allow_redirects=False)
    redirect_location = redirect_response.headers['location']

    # Extract the client_id query parameter from the redirect.
    parsed = six.moves.urllib.parse.urlparse(redirect_location)
    query_string = six.moves.urllib.parse.parse_qs(parsed.query)
    print(query_string['client_id'][0])
    # [END composer_get_environment_client_id] 

def get_google_open_id_connect_token(service_account_credentials):
    """Get an OpenID Connect token issued by Google for the service account.

    This function:

      1. Generates a JWT signed with the service account's private key
         containing a special "target_audience" claim.

      2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
         has a target_audience claim, that endpoint will respond with
         an OpenID Connect token for the service account -- in other words,
         a JWT signed by *Google*. The aud claim in this JWT will be
         set to the value from the target_audience claim in #1.

    For more information, see
    https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
    The HTTP/REST example on that page describes the JWT structure and
    demonstrates how to call the token endpoint. (The example on that page
    shows how to get an OAuth2 access token; this code is using a
    modified version of it to get an OpenID Connect token.)
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, OAUTH_TOKEN_URI, body)
    return token_response['id_token']

# [END iap_make_request] 

def get_google_open_id_connect_token(service_account_credentials):
    """Get an OpenID Connect token issued by Google for the service account.

    This function:

      1. Generates a JWT signed with the service account's private key
         containing a special "target_audience" claim.

      2. Sends it to the OAUTH_TOKEN_URI endpoint. Because the JWT in #1
         has a target_audience claim, that endpoint will respond with
         an OpenID Connect token for the service account -- in other words,
         a JWT signed by *Google*. The aud claim in this JWT will be
         set to the value from the target_audience claim in #1.

    For more information, see
    https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
    The HTTP/REST example on that page describes the JWT structure and
    demonstrates how to call the token endpoint. (The example on that page
    shows how to get an OAuth2 access token; this code is using a
    modified version of it to get an OpenID Connect token.)
    """

    service_account_jwt = (
        service_account_credentials._make_authorization_grant_assertion())
    request = google.auth.transport.requests.Request()
    body = {
        'assertion': service_account_jwt,
        'grant_type': google.oauth2._client._JWT_GRANT_TYPE,
    }
    token_response = google.oauth2._client._token_endpoint_request(
        request, OAUTH_TOKEN_URI, body)
    return token_response['id_token']
# END COPIED IAP CODE

# [END composer_trigger] 

def _warn_about_problematic_credentials(credentials):
    """Determines if the credentials are problematic.

    Credentials from the Cloud SDK that are associated with Cloud SDK's project
    are problematic because they may not have APIs enabled and have limited
    quota. If this is the case, warn about it.
    """
    from google.auth import _cloud_sdk
    if credentials.client_id == _cloud_sdk.CLOUD_SDK_CLIENT_ID:
        warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING) 

def _get_gae_credentials():
    """Gets Google App Engine App Identity credentials and project ID."""
    from google.auth import app_engine

    try:
        credentials = app_engine.Credentials()
        project_id = app_engine.get_project_id()
        return credentials, project_id
    except EnvironmentError:
        return None, None 

def default_credentials():
    """Returns Application Default Credentials."""
    if HAS_GOOGLE_AUTH:
        credentials, _ = google.auth.default()
        return credentials
    elif HAS_OAUTH2CLIENT:
        return oauth2client.client.GoogleCredentials.get_application_default()
    else:
        raise EnvironmentError(
            'No authentication library is available. Please install either '
            'google-auth or oauth2client.') 

def authorized_http(credentials):
    """Returns an http client that is authorized with the given credentials.

    Args:
        credentials (Union[
            google.auth.credentials.Credentials,
            oauth2client.client.Credentials]): The credentials to use.

    Returns:
        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
            authorized http client.
    """
    from googleapiclient.http import build_http

    if HAS_GOOGLE_AUTH and isinstance(
            credentials, google.auth.credentials.Credentials):
        if google_auth_httplib2 is None:
            raise ValueError(
                'Credentials from google.auth specified, but '
                'google-api-python-client is unable to use these credentials '
                'unless google-auth-httplib2 is installed. Please install '
                'google-auth-httplib2.')
        return google_auth_httplib2.AuthorizedHttp(credentials,
                                                   http=build_http())
    else:
        return credentials.authorize(build_http()) 

def retry_api_check(exception, verbose):
  """Return True if we should retry. False otherwise.

  Args:
    exception: An exception to test for transience.
    verbose: If true, output retry messages

  Returns:
    True if we should retry. False otherwise.
  """
  if isinstance(exception, googleapiclient.errors.HttpError):
    if exception.resp.status in TRANSIENT_HTTP_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  if isinstance(exception, socket.error):
    if exception.errno in TRANSIENT_SOCKET_ERROR_CODES:
      _print_retry_error(exception, verbose)
      return True

  if isinstance(exception, google.auth.exceptions.RefreshError):
    _print_retry_error(exception, verbose)
    return True

  # For a given installation, this could be a permanent error, but has only
  # been observed as transient.
  if isinstance(exception, SSLError):
    _print_retry_error(exception, verbose)
    return True

  # This has been observed as a transient error:
  #   ServerNotFoundError: Unable to find the server at genomics.googleapis.com
  if isinstance(exception, ServerNotFoundError):
    _print_retry_error(exception, verbose)
    return True

  # Observed to be thrown transiently from auth libraries which use httplib2
  # Use the one from six because httlib no longer exists in Python3
  # https://docs.python.org/2/library/httplib.html
  if isinstance(exception, six.moves.http_client.ResponseNotReady):
    _print_retry_error(exception, verbose)
    return True

  return False 

def get_service_account_token(client_id):
  """
  Get open id connect token for default service account.
  Returns:
    The open id connect token for default service account.
  """
  # Figure out what environment we're running in and get some preliminary
  # information about the service account.
  bootstrap_credentials, _ = google.auth.default(scopes=[IAM_SCOPE])
  if isinstance(bootstrap_credentials, google.oauth2.credentials.Credentials):
    raise Exception('make_iap_request is only supported for service '
                    'accounts.')
  elif isinstance(bootstrap_credentials, google.auth.app_engine.Credentials):
    requests_toolbelt.adapters.appengine.monkeypatch()

  # For service account's using the Compute Engine metadata service,
  # service_account_email isn't available until refresh is called.
  bootstrap_credentials.refresh(Request())

  signer_email = bootstrap_credentials.service_account_email
  if isinstance(bootstrap_credentials,
                google.auth.compute_engine.credentials.Credentials):
    # Since the Compute Engine metadata service doesn't expose the service
    # account key, we use the IAM signBlob API to sign instead.
    # In order for this to work:
    #
    # 1. Your VM needs the https://www.googleapis.com/auth/iam scope.
    #    You can specify this specific scope when creating a VM  through the API
    #    or gcloud. When using Cloud Console, you'll need to specify the
    #    "full access to all Cloud APIs" scope. A VM's scopes can only be
    #    specified at creation time.
    #
    # 2. The VM's default service account needs the "Service Account Actor"
    #    role. This can be found under the "Project" category in Cloud Console,
    #    or roles/iam.serviceAccountActor in gcloud.
    signer = google.auth.iam.Signer(Request(), bootstrap_credentials,
                                    signer_email)
  else:
    # A Signer object can sign a JWT using the service account's key.
    signer = bootstrap_credentials.signer

  # Construct OAuth 2.0 service account credentials using the signer and email
  # acquired from the bootstrap credentials.
  service_account_credentials = google.oauth2.service_account.Credentials(
      signer,
      signer_email,
      token_uri=OAUTH_TOKEN_URI,
      additional_claims={'target_audience': client_id})

  # service_account_credentials gives us a JWT signed by the service account.
  # Next, we use that to obtain an OpenID Connect token, which is a JWT signed
  # by Google.
  return get_google_open_id_connect_token(
      service_account_credentials), signer_email 

def _get_credentials_and_project_id(self) -> google.auth.credentials.Credentials:
        """
        Returns the Credentials object for Google API and the associated project_id
        """
        key_path = self._get_field('key_path', None)  # type: Optional[str]
        keyfile_dict = self._get_field('keyfile_dict', None)  # type: Optional[str]
        if not key_path and not keyfile_dict:
            self.log.info('Getting connection using `google.auth.default()` '
                          'since no key file is defined for hook.')
            credentials, project_id = google.auth.default(scopes=self.scopes)
        elif key_path:
            # Get credentials from a JSON file.
            if key_path.endswith('.json'):
                self.log.debug('Getting connection using JSON key file %s' % key_path)
                credentials = (
                    google.oauth2.service_account.Credentials.from_service_account_file(
                        key_path, scopes=self.scopes)
                )
                project_id = credentials.project_id
            elif key_path.endswith('.p12'):
                raise AirflowException('Legacy P12 key file are not supported, '
                                       'use a JSON key file.')
            else:
                raise AirflowException('Unrecognised extension for key file.')
        else:
            # Get credentials from JSON data provided in the UI.
            try:
                if not keyfile_dict:
                    raise ValueError("The keyfile_dict should be set")
                keyfile_dict_json: Dict[str, str] = json.loads(keyfile_dict)

                # Depending on how the JSON was formatted, it may contain
                # escaped newlines. Convert those to actual newlines.
                keyfile_dict_json['private_key'] = keyfile_dict_json['private_key'].replace(
                    '\\n', '\n')

                credentials = (
                    google.oauth2.service_account.Credentials.from_service_account_info(
                        keyfile_dict_json, scopes=self.scopes)
                )
                project_id = credentials.project_id
            except json.decoder.JSONDecodeError:
                raise AirflowException('Invalid key JSON.')

        if self.delegate_to:
            credentials = credentials.with_subject(self.delegate_to)

        overridden_project_id = self._get_field('project')
        if overridden_project_id:
            project_id = overridden_project_id

        return credentials, project_id