From ff06fc220a2457e57c9e904c9aae1ab7a283521f Mon Sep 17 00:00:00 2001
From: Chris Carlon <cjc25@cjc25.com>
Date: Wed, 23 Oct 2024 13:56:25 -0400
Subject: [PATCH] fix: Fix default service account tests on GCE. (#11021)

Tests running on GCE VMs automatically fall back to using the local
metadata service to detect the local default service account. In those
cases, tests for malformed creds won't work, but they should return a
VM-specific default service account email.
---
 storage/bucket_test.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/storage/bucket_test.go b/storage/bucket_test.go
index 7126be8331a6..7ae7b06e7e8d 100644
--- a/storage/bucket_test.go
+++ b/storage/bucket_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 	"time"
 
+	"cloud.google.com/go/compute/metadata"
 	"cloud.google.com/go/internal/testutil"
 	"cloud.google.com/go/storage/internal/apiv2/storagepb"
 	"github.com/google/go-cmp/cmp"
@@ -1306,6 +1307,16 @@ func TestDetectDefaultGoogleAccessID(t *testing.T) {
 				if id != tc.serviceAccount {
 					t.Errorf("service account not found correctly; got: %s, want: %s", id, tc.serviceAccount)
 				}
+			} else if metadata.OnGCE() {
+				// On GCE, we fall back to the default service account. Check that's
+				// what happened.
+				defaultServiceAccount, err := metadata.Email("default")
+				if err != nil {
+					t.Errorf("could not load metadata service account for fallback: %v", err)
+				}
+				if id != defaultServiceAccount {
+					t.Errorf("service account not found correctly on fallback; got: %s, want: %s", id, defaultServiceAccount)
+				}
 			} else if err == nil {
 				t.Error("expected error but detectDefaultGoogleAccessID did not return one")
 			}