fix google-auth: use auth.transport.requests as default

[uweber]

mTLS support was recently added and added a hard requirement for requests. google.auth.compute_engine would fail to load, if requests is missing, so its safe to switch to google.auth.transport.requests here.

Therefore switch default from google.auth.transport._http_client.Request() to google.auth.transport.requests.Request() which is required for mTLS to work.

Fixes the following code:
import google.auth
credentials, project_id = google.auth.default()
print(project_id)

Fixes #16035

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the core google-auth library to use the requests-based HTTP transport by default when interacting with the GCE Metadata Service. This modification is essential for supporting modern security protocols like mTLS and ensures that the authentication process is robust and compatible with current infrastructure requirements, particularly for compute engine environments.

Highlights

• Default Transport Change: Switched the default HTTP transport for Google Cloud authentication from google.auth.transport._http_client.Request() to google.auth.transport.requests.Request().
• mTLS Support: This change is crucial for enabling mTLS (mutual TLS) support, as the new transport is required for secure metadata service connections.
• Dependency Resolution: Resolved an issue where google.auth.compute_engine would fail to load if the requests library was missing, by making requests a hard requirement for MDS connections.

Changelog

• packages/google-auth/google/auth/_default.py
  • Removed the import of google.auth.transport._http_client.
  • Added an import for Request from google.auth.transport.requests within the _get_gce_credentials function.
  • Updated the default request object in _get_gce_credentials to use Request() from google.auth.transport.requests.
  • Modified comments to reflect the necessity of requests for mTLS with MDS connections, replacing the previous rationale for _http_client.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request successfully updates the default HTTP client for GCE credentials from google.auth.transport._http_client.Request to google.auth.transport.requests.Request. This change is crucial for enabling mTLS support, which has a hard requirement for the requests library. The code correctly removes the outdated import, integrates the new Request import within the try...except ImportError block, and updates the relevant comments to reflect the new rationale. My primary feedback is a suggestion to refine the warning message in the ImportError block for better debugging clarity.

[gemini-code-assist]

The ImportError block now handles potential failures from importing google.auth.transport.requests.Request in addition to compute_engine and _metadata. If the underlying requests library is missing, the current warning message "Import of Compute Engine auth library failed." might be misleading. Consider making the warning message more general to accurately reflect that multiple authentication-related libraries could have failed to import, which would aid in debugging.

_LOGGER.warning("Failed to import necessary authentication libraries for GCE.")

[daniel-sanche]

We have a different PR that attempts to solve the same problem by disabling mtls enablement on _http_client.Request(). Does the http_client no longer work for this use-case?

[uweber]

We have a different PR that attempts to solve the same problem by disabling mtls enablement on _http_client.Request(). Does the http_client no longer work for this use-case?

With the mTLS support the _http_client code is no longer functional. Since default is to use mTLS when a certificate is found, no fallback to HTTP is possible anymore. And to use mTLS python request session is needed.
See the code in my commit message, project ID would be empty otherwise:
import google.auth
credentials, project_id = google.auth.default()
print(project_id)