From 7e1049e25f40b768ec63b020966c519376b211f6 Mon Sep 17 00:00:00 2001 From: chalmer lowe Date: Tue, 13 Jan 2026 08:20:56 -0500 Subject: [PATCH 1/5] fix: removes content-header-from-aws-get --- google/auth/aws.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/auth/aws.py b/google/auth/aws.py index 8e6c6789c..b7273bc38 100644 --- a/google/auth/aws.py +++ b/google/auth/aws.py @@ -530,7 +530,7 @@ def _get_metadata_security_credentials( google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS security credentials. """ - headers = {"Content-Type": "application/json"} + headers = None if imdsv2_session_token is not None: headers["X-aws-ec2-metadata-token"] = imdsv2_session_token From 008685cc6bfa3bbc6b02f885238260031bbb0fc0 Mon Sep 17 00:00:00 2001 From: chalmer lowe Date: Tue, 13 Jan 2026 09:06:34 -0500 Subject: [PATCH 2/5] updates assertions to removed expectation of content-header --- tests/test_aws.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/test_aws.py b/tests/test_aws.py index 1fd78e191..140c19a9d 100644 --- a/tests/test_aws.py +++ b/tests/test_aws.py @@ -1306,7 +1306,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars( self.assert_aws_metadata_request_kwargs( request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), - {"Content-Type": "application/json"}, + None, ) # Retrieve subject_token again. Region should not be queried again. @@ -1329,7 +1329,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars( self.assert_aws_metadata_request_kwargs( new_request.call_args_list[1][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), - {"Content-Type": "application/json"}, + None, ) @mock.patch("google.auth._helpers.utcnow") @@ -1394,7 +1394,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2( request.call_args_list[4][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @@ -1684,7 +1683,6 @@ def test_retrieve_subject_token_success_ipv6(self, utcnow): request.call_args_list[4][1], "{}/{}".format(SECURITY_CREDS_URL_IPV6, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) From 077fd255c6bb8b75d6a9e201b6443f1552ff9c35 Mon Sep 17 00:00:00 2001 From: chalmer lowe Date: Tue, 13 Jan 2026 09:26:35 -0500 Subject: [PATCH 3/5] fix: correct header initialization to avoid TypeError --- google/auth/aws.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/auth/aws.py b/google/auth/aws.py index b7273bc38..6d2ad1e5c 100644 --- a/google/auth/aws.py +++ b/google/auth/aws.py @@ -532,7 +532,7 @@ def _get_metadata_security_credentials( """ headers = None if imdsv2_session_token is not None: - headers["X-aws-ec2-metadata-token"] = imdsv2_session_token + headers = {"X-aws-ec2-metadata-token": imdsv2_session_token} response = request( url="{}/{}".format(self._security_credentials_url, role_name), From 2139fd38b6a9b9452c94c194fd36ab400683ed00 Mon Sep 17 00:00:00 2001 From: chalmer lowe Date: Tue, 13 Jan 2026 10:42:29 -0500 Subject: [PATCH 4/5] fix: update test expectations after removing Content-Type header --- google/auth/aws.py | 4 +++- tests/test_aws.py | 4 ---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/google/auth/aws.py b/google/auth/aws.py index 6d2ad1e5c..e71155b36 100644 --- a/google/auth/aws.py +++ b/google/auth/aws.py @@ -530,9 +530,11 @@ def _get_metadata_security_credentials( google.auth.exceptions.RefreshError: If an error occurs while retrieving the AWS security credentials. """ - headers = None if imdsv2_session_token is not None: headers = {"X-aws-ec2-metadata-token": imdsv2_session_token} + else: + headers = None + response = request( url="{}/{}".format(self._security_credentials_url, role_name), diff --git a/tests/test_aws.py b/tests/test_aws.py index 140c19a9d..b6b1ca231 100644 --- a/tests/test_aws.py +++ b/tests/test_aws.py @@ -1430,7 +1430,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2( new_request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @@ -1487,7 +1486,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_secr request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @@ -1544,7 +1542,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_acce request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) @@ -1595,7 +1592,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_cred request.call_args_list[2][1], "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE), { - "Content-Type": "application/json", "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN, }, ) From 7a9cdd0e73a9afe08fa5432e3442f36644fdc691 Mon Sep 17 00:00:00 2001 From: chalmer lowe Date: Wed, 14 Jan 2026 06:49:51 -0500 Subject: [PATCH 5/5] updates linting --- google/auth/aws.py | 1 - 1 file changed, 1 deletion(-) diff --git a/google/auth/aws.py b/google/auth/aws.py index e71155b36..c640568b8 100644 --- a/google/auth/aws.py +++ b/google/auth/aws.py @@ -535,7 +535,6 @@ def _get_metadata_security_credentials( else: headers = None - response = request( url="{}/{}".format(self._security_credentials_url, role_name), method="GET",