fix: Read scopes from ADC json for impersoanted cred (#1820)

sai-sunder-s · gcf-owl-bot[bot] · web-flow · commit 62c0fc82a362 · 2025-10-22T15:46:26.000-04:00
* fix: Read scopes from ADC json for impersoanted cred * secret * secret update * secret update * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
@@ -526,6 +526,7 @@ def from_impersonated_service_account_info(cls, info, scopes=None):
         target_principal = impersonation_url[start_index + 1 : end_index]
         delegates = info.get("delegates")
         quota_project_id = info.get("quota_project_id")
+        scopes = scopes or info.get("scopes")
         trust_boundary = info.get("trust_boundary")
 
         return cls(
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py
@@ -213,6 +213,23 @@ def test_from_impersonated_service_account_info_with_invalid_impersonation_url(
             )
         assert excinfo.match(r"Cannot extract target principal from")
 
+    def test_from_impersonated_service_account_info_with_scopes(self):
+        info = copy.deepcopy(IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_INFO)
+        info["scopes"] = ["scope1", "scope2"]
+        credentials = impersonated_credentials.Credentials.from_impersonated_service_account_info(
+            info
+        )
+        assert credentials._target_scopes == ["scope1", "scope2"]
+
+    def test_from_impersonated_service_account_info_with_scopes_param(self):
+        info = copy.deepcopy(IMPERSONATED_SERVICE_ACCOUNT_AUTHORIZED_USER_SOURCE_INFO)
+        info["scopes"] = ["scope_from_info_1", "scope_from_info_2"]
+        scopes_param = ["scope_from_param_1", "scope_from_param_2"]
+        credentials = impersonated_credentials.Credentials.from_impersonated_service_account_info(
+            info, scopes=scopes_param
+        )
+        assert credentials._target_scopes == scopes_param
+
     def test_get_cred_info(self):
         credentials = self.make_credentials()
         assert not credentials.get_cred_info()
