feat: Support External Account Authorized User as a Source Credential for impersonated credentials in ADC (#1608)

* feat: Support External Account Authorized User as a Source Credential for impersonated credentials in ADC

* formatting

Author: sai-sunder-s

google/auth/_default.py

@@ -472,6 +472,10 @@ def _get_impersonated_service_account_credentials(filename, info, scopes):
             source_credentials, _ = _get_service_account_credentials(
                 filename, source_credentials_info
             )
+        elif source_credentials_type == _EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE:
+            source_credentials, _ = _get_external_account_authorized_user_credentials(
+                filename, source_credentials_info
+            )
         else:
             raise exceptions.InvalidType(
                 "source credential of type {} is not supported.".format(

system_tests/secrets.tar.enc

@@ -0,0 +1,16 @@
+{
+    "delegates": [
+        "service-account-delegate@example.com"
+    ],
+    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service-account-target@example.com:generateAccessToken",
+    "source_credentials": {
+        "type": "external_account_authorized_user",
+        "audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID",
+        "refresh_token": "refreshToken",
+        "token_url": "https://sts.googleapis.com/v1/oauth/token",
+        "token_info_url": "https://sts.googleapis.com/v1/instrospect",
+        "client_id": "clientId",
+        "client_secret": "clientSecret"
+    },
+    "type": "impersonated_service_account"
+}

tests/data/impersonated_service_account_external_account_authorized_user_source.json

@@ -153,6 +153,11 @@
     DATA_DIR, "impersonated_service_account_service_account_source.json"
 )
 
+IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE = os.path.join(
+    DATA_DIR,
+    "impersonated_service_account_external_account_authorized_user_source.json",
+)
+
 EXTERNAL_ACCOUNT_AUTHORIZED_USER_FILE = os.path.join(
     DATA_DIR, "external_account_authorized_user.json"
 )
@@ -365,6 +370,17 @@ def test_load_credentials_from_file_impersonated_with_service_account_source():
     assert not credentials._quota_project_id
 
 
+def test_load_credentials_from_file_impersonated_with_external_account_authorized_user_source():
+    credentials, _ = _default.load_credentials_from_file(
+        IMPERSONATED_SERVICE_ACCOUNT_EXTERNAL_ACCOUNT_AUTHORIZED_USER_SOURCE_FILE
+    )
+    assert isinstance(credentials, impersonated_credentials.Credentials)
+    assert isinstance(
+        credentials._source_credentials, external_account_authorized_user.Credentials
+    )
+    assert not credentials._quota_project_id
+
+
 def test_load_credentials_from_file_impersonated_passing_quota_project():
     credentials, _ = _default.load_credentials_from_file(
         IMPERSONATED_SERVICE_ACCOUNT_SERVICE_ACCOUNT_SOURCE_FILE,