From 955ddc8dff0a9780a81cef9742167b205ebdcb02 Mon Sep 17 00:00:00 2001
From: Ryan Kohler <ryankohler@google.com>
Date: Thu, 11 Mar 2021 15:17:10 -0800
Subject: [PATCH 1/3] feat: allow the AWS_DEFAULT_REGION environment variable

Amazon has this variable documented, and apparently people are trying to
use it, so we should support it
---
 google/auth/aws.py              |  4 ++++
 google/auth/environment_vars.py |  1 +
 tests/test_aws.py               | 21 +++++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/google/auth/aws.py b/google/auth/aws.py
index b362dd315..bd370b4b0 100644
--- a/google/auth/aws.py
+++ b/google/auth/aws.py
@@ -526,6 +526,10 @@ def _get_region(self, request, url):
         if env_aws_region is not None:
             return env_aws_region
 
+        env_aws_region = os.environ.get(environment_vars.AWS_DEFAULT_REGION)
+        if env_aws_region is not None:
+            return env_aws_region
+
         if not self._region_url:
             raise exceptions.RefreshError("Unable to determine AWS region")
         response = request(url=self._region_url, method="GET")
diff --git a/google/auth/environment_vars.py b/google/auth/environment_vars.py
index 416bab0c0..f02774181 100644
--- a/google/auth/environment_vars.py
+++ b/google/auth/environment_vars.py
@@ -69,3 +69,4 @@
 AWS_SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY"
 AWS_SESSION_TOKEN = "AWS_SESSION_TOKEN"
 AWS_REGION = "AWS_REGION"
+AWS_DEFAULT_REGION = "AWS_DEFAULT_REGION"
diff --git a/tests/test_aws.py b/tests/test_aws.py
index 9a8f98eec..31ddc94d4 100644
--- a/tests/test_aws.py
+++ b/tests/test_aws.py
@@ -1043,6 +1043,27 @@ def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypat
             }
         )
 
+    @mock.patch("google.auth._helpers.utcnow")
+    def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypatch):
+        monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID)
+        monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY)
+        monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN)
+        monkeypatch.setenv(environment_vars.AWS_DEFAULT_REGION, self.AWS_REGION)
+        utcnow.return_value = datetime.datetime.strptime(
+            self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ"
+        )
+        credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE)
+
+        subject_token = credentials.retrieve_subject_token(None)
+
+        assert subject_token == self.make_serialized_aws_signed_request(
+            {
+                "access_key_id": ACCESS_KEY_ID,
+                "secret_access_key": SECRET_ACCESS_KEY,
+                "security_token": TOKEN,
+            }
+        )
+
     @mock.patch("google.auth._helpers.utcnow")
     def test_retrieve_subject_token_success_environment_vars_no_session_token(
         self, utcnow, monkeypatch

From a7d2454e14693462aaa8d6f6cd75e65f17a409da Mon Sep 17 00:00:00 2001
From: Ryan Kohler <ryankohler@google.com>
Date: Fri, 12 Mar 2021 09:16:07 -0800
Subject: [PATCH 2/3] Changes requested by bojeil@

---
 tests/test_aws.py | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/tests/test_aws.py b/tests/test_aws.py
index 31ddc94d4..04cd2989d 100644
--- a/tests/test_aws.py
+++ b/tests/test_aws.py
@@ -1044,7 +1044,9 @@ def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypat
         )
 
     @mock.patch("google.auth._helpers.utcnow")
-    def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypatch):
+    def test_retrieve_subject_token_success_environment_vars_with_default_region(
+        self, utcnow, monkeypatch
+    ):
         monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID)
         monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY)
         monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN)
@@ -1064,6 +1066,33 @@ def test_retrieve_subject_token_success_environment_vars(self, utcnow, monkeypat
             }
         )
 
+    @mock.patch("google.auth._helpers.utcnow")
+    def test_retrieve_subject_token_success_environment_vars_with_both_regions_set(
+        self, utcnow, monkeypatch
+    ):
+        monkeypatch.setenv(environment_vars.AWS_ACCESS_KEY_ID, ACCESS_KEY_ID)
+        monkeypatch.setenv(environment_vars.AWS_SECRET_ACCESS_KEY, SECRET_ACCESS_KEY)
+        monkeypatch.setenv(environment_vars.AWS_SESSION_TOKEN, TOKEN)
+        monkeypatch.setenv(environment_vars.AWS_DEFAULT_REGION, "Malformed AWS Region")
+        # This test makes sure that the AWS_REGION gets used over AWS_DEFAULT_REGION,
+        # So, AWS_DEFAULT_REGION is set to something that would cause the test to fail,
+        # And AWS_REGION is set to the a valid value, and it should succeed
+        monkeypatch.setenv(environment_vars.AWS_REGION, self.AWS_REGION)
+        utcnow.return_value = datetime.datetime.strptime(
+            self.AWS_SIGNATURE_TIME, "%Y-%m-%dT%H:%M:%SZ"
+        )
+        credentials = self.make_credentials(credential_source=self.CREDENTIAL_SOURCE)
+
+        subject_token = credentials.retrieve_subject_token(None)
+
+        assert subject_token == self.make_serialized_aws_signed_request(
+            {
+                "access_key_id": ACCESS_KEY_ID,
+                "secret_access_key": SECRET_ACCESS_KEY,
+                "security_token": TOKEN,
+            }
+        )
+
     @mock.patch("google.auth._helpers.utcnow")
     def test_retrieve_subject_token_success_environment_vars_no_session_token(
         self, utcnow, monkeypatch

From 0239864c9efe89f490d0b12ec352f8b845eb64df Mon Sep 17 00:00:00 2001
From: Ryan Kohler <ryankohler@google.com>
Date: Fri, 12 Mar 2021 15:41:33 -0800
Subject: [PATCH 3/3] Comment changes requested by bojeil@

---
 google/auth/aws.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/google/auth/aws.py b/google/auth/aws.py
index bd370b4b0..c2b521c36 100644
--- a/google/auth/aws.py
+++ b/google/auth/aws.py
@@ -424,9 +424,9 @@ def retrieve_subject_token(self, request):
 
         The logic is summarized as:
 
-        Retrieve the AWS region from the AWS_REGION environment variable or from
-        the AWS metadata server availability-zone if not found in the
-        environment variable.
+        Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
+        environment variable or from the AWS metadata server availability-zone
+        if not found in the environment variable.
 
         Check AWS credentials in environment variables. If not found, retrieve
         from the AWS metadata server security-credentials endpoint.
@@ -504,8 +504,8 @@ def retrieve_subject_token(self, request):
         )
 
     def _get_region(self, request, url):
-        """Retrieves the current AWS region from either the AWS_REGION
-        environment variable or from the AWS metadata server.
+        """Retrieves the current AWS region from either the AWS_REGION or
+        AWS_DEFAULT_REGION environment variable or from the AWS metadata server.
 
         Args:
             request (google.auth.transport.Request): A callable used to make