fix: Improve ADC related errors and warnings (#1237)

* fix: Improve ADC related errors and warnings * Run lint and blacken * Refresh system test credentials
googleapis · Feb 28, 2023 · 2dfa213 · 2dfa213
1 parent 91ac8e6
commit 2dfa213
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 16 deletions.
diff --git a/google/auth/_default.py b/google/auth/_default.py
@@ -48,23 +48,18 @@
 )
 
 # Help message when no credentials can be found.
-_HELP_MESSAGE = """\
-Could not automatically determine credentials. Please set {env} or \
-explicitly create credentials and re-run the application. For more \
-information, please see \
-https://cloud.google.com/docs/authentication/getting-started
-""".format(
-    env=environment_vars.CREDENTIALS
-).strip()
+_CLOUD_SDK_MISSING_CREDENTIALS = """\
+Your default credentials were not found. To set up Application Default Credentials, \
+see https://cloud.google.com/docs/authentication/external/set-up-adc for more information.\
+"""
 
 # Warning when using Cloud SDK user credentials
 _CLOUD_SDK_CREDENTIALS_WARNING = """\
 Your application has authenticated using end user credentials from Google \
 Cloud SDK without a quota project. You might receive a "quota exceeded" \
-or "API not enabled" error. We recommend you rerun \
-`gcloud auth application-default login` and make sure a quota project is \
-added. Or you can use service accounts instead. For more information \
-about service accounts, see https://cloud.google.com/docs/authentication/"""
+or "API not enabled" error. See the following page for troubleshooting: \
+https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds. \
+"""
 
 # The subject token type used for AWS external_account credentials.
 _AWS_SUBJECT_TOKEN_TYPE = "urn:ietf:params:aws:token-type:aws4_request"
@@ -650,4 +645,4 @@ def default(scopes=None, request=None, quota_project_id=None, default_scopes=Non
                 )
             return credentials, effective_project_id
 
-    raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
+    raise exceptions.DefaultCredentialsError(_CLOUD_SDK_MISSING_CREDENTIALS)
diff --git a/google/auth/_default_async.py b/google/auth/_default_async.py
@@ -281,4 +281,4 @@ def default_async(scopes=None, request=None, quota_project_id=None):
                 )
             return credentials, effective_project_id
 
-    raise exceptions.DefaultCredentialsError(_default._HELP_MESSAGE)
+    raise exceptions.DefaultCredentialsError(_default._CLOUD_SDK_MISSING_CREDENTIALS)
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/test__default.py b/tests/test__default.py
@@ -916,9 +916,11 @@ def test_default_without_project_id(
     autospec=True,
 )
 def test_default_fail(unused_gce, unused_gae, unused_sdk, unused_explicit):
-    with pytest.raises(exceptions.DefaultCredentialsError):
+    with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
         assert _default.default()
 
+    assert excinfo.match(_default._CLOUD_SDK_MISSING_CREDENTIALS)
+
 
 @mock.patch(
     "google.auth._default._get_explicit_environ_credentials",
@@ -1128,7 +1130,7 @@ def test_default_environ_external_credentials_bad_format(monkeypatch, tmpdir):
 def test_default_warning_without_quota_project_id_for_user_creds(get_adc_path):
     get_adc_path.return_value = AUTHORIZED_USER_CLOUD_SDK_FILE
 
-    with pytest.warns(UserWarning, match="Cloud SDK"):
+    with pytest.warns(UserWarning, match=_default._CLOUD_SDK_CREDENTIALS_WARNING):
         credentials, project_id = _default.default(quota_project_id=None)