From 517c08fe4b8dac3d88c3692391b1ebec230a2cde Mon Sep 17 00:00:00 2001 From: Ulrich Weber Date: Wed, 11 Mar 2026 14:45:07 +0100 Subject: [PATCH] google-auth: use auth.transport.requests as default mTLS support was recently added and added a hard requirement for requests. google.auth.compute_engine would fail to load, if requests is missing, so its safe to switch to google.auth.transport.requests here. Therefore switch default from google.auth.transport._http_client.Request() to google.auth.transport.requests.Request() which is required for mTLS to work. Fixes the following code: import google.auth credentials, project_id = google.auth.default() print(project_id) Signed-off-by: Ulrich Weber --- packages/google-auth/google/auth/_default.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/google-auth/google/auth/_default.py b/packages/google-auth/google/auth/_default.py index d3beab4b6cd7..161ff45a800e 100644 --- a/packages/google-auth/google/auth/_default.py +++ b/packages/google-auth/google/auth/_default.py @@ -27,7 +27,6 @@ from google.auth import environment_vars from google.auth import exceptions -import google.auth.transport._http_client if TYPE_CHECKING: # pragma: NO COVER from google.auth.credentials import Credentials # noqa: F401 @@ -391,21 +390,22 @@ def _get_gae_credentials(): def _get_gce_credentials(request=None, quota_project_id=None): """Gets credentials and project ID from the GCE Metadata Service.""" # Ping requires a transport, but we want application default credentials - # to require no arguments. So, we'll use the _http_client transport which - # uses http.client. This is only acceptable because the metadata server - # doesn't do SSL and never requires proxies. + # to require no arguments. + # MDS connections use mTLS (#1856), which has a hard requirement for requests, + # so we cant use http.client # While this library is normally bundled with compute_engine, there are # some cases where it's not available, so we tolerate ImportError. try: from google.auth import compute_engine from google.auth.compute_engine import _metadata + from google.auth.transport.requests import Request except ImportError: _LOGGER.warning("Import of Compute Engine auth library failed.") return None, None if request is None: - request = google.auth.transport._http_client.Request() + request = Request() if _metadata.is_on_gce(request=request): # Get the project ID.