Add Python wrapper

src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -273,11 +273,29 @@ end:
   return error;
 }
 
+static void update_tenancy() {
+  gpr_once_init(&g_once, init_default_credentials);
+  gpr_mu_lock(&g_state_mu);
+
+  /* Try a platform-provided hint for GCE. */
+  if (!g_metadata_server_available) {
+    g_is_on_gce = g_gce_tenancy_checker();
+    g_metadata_server_available = g_is_on_gce;
+  }
+  /* TODO: Add a platform-provided hint for GAE. */
+
+  /* Do a network test for metadata server. */
+  if (!g_metadata_server_available) {
+    g_metadata_server_available = is_metadata_server_reachable();
+  }
+  gpr_mu_unlock(&g_state_mu);
+
+}
+
 static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>* call_creds,
                                grpc_error* error)
 {
   grpc_error* err;
-  gpr_once_init(&g_once, init_default_credentials);
 
   /* First, try the environment variable. */
   err = create_default_creds_from_path(
@@ -291,21 +309,6 @@ static void default_call_creds(grpc_core::RefCountedPtr<grpc_call_credentials>*
   if (err == GRPC_ERROR_NONE) return;
   error = grpc_error_add_child(error, err);
 
-  gpr_mu_lock(&g_state_mu);
-
-  /* Try a platform-provided hint for GCE. */
-  if (!g_metadata_server_available) {
-    g_is_on_gce = g_gce_tenancy_checker();
-    g_metadata_server_available = g_is_on_gce;
-  }
-  /* TODO: Add a platform-provided hint for GAE. */
-
-  /* Do a network test for metadata server. */
-  if (!g_metadata_server_available) {
-    g_metadata_server_available = is_metadata_server_reachable();
-  }
-  gpr_mu_unlock(&g_state_mu);
-
   if (g_metadata_server_available) {
     *call_creds = grpc_core::RefCountedPtr<grpc_call_credentials>(
         grpc_google_compute_engine_credentials_create(nullptr));
@@ -326,6 +329,8 @@ grpc_channel_credentials* grpc_google_default_credentials_create(grpc_call_crede
 
   GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1, (call_credentials));
 
+  update_tenancy();
+
   if (call_credentials == nullptr) {
     default_call_creds(&call_creds, error);
   }

src/python/grpcio/grpc/__init__.py

@@ -1868,10 +1868,9 @@ def alts_server_credentials():
     return ServerCredentials(_cygrpc.server_credentials_alts())
 
 
-def compute_engine_channel_credentials():
+def compute_engine_channel_credentials(call_credentials):
     """Creates a compute engine channel credential.
 
-    This is an EXPERIMENAL API.
     This credential can only be used in a GCP environment as ir relies on
     a handshaker service. For more infor about ALTS, see
     https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security
@@ -1881,7 +1880,7 @@ def compute_engine_channel_credentials():
     with any other call credential, the connection may suddenly and unexpectedly
     begin failing RPCs.
     """
-    return ChannelCredentials(_cygrpc.channel_credentials_compute_engine())
+    return ChannelCredentials(_cygrpc.channel_credentials_compute_engine(call_credentials._credentials))
 
 
 def channel_ready_future(channel):

src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi

@@ -384,14 +384,18 @@ def server_credentials_alts():
 
 cdef class ComputeEngineChannelCredentials(ChannelCredentials):
   cdef grpc_channel_credentials* _c_creds
+  cdef grpc_call_credentials* _call_creds
 
-  def __cinit__(self):
+  def __cinit__(self, CallCredentials call_creds):
     self._c_creds = NULL
+    self._call_creds = call_creds.c()
+    if self._call_creds == NULL:
+      raise ValueError("Call credentials may not be NULL.")
 
   cdef grpc_channel_credentials *c(self) except *:
-    self._c_creds = grpc_compute_engine_channel_credentials_create(NULL)
+    self._c_creds = grpc_google_default_credentials_create(self._call_creds)
     return self._c_creds
 
 
-def channel_credentials_compute_engine():
+def channel_credentials_compute_engine(call_creds):
-  return ComputeEngineChannelCredentials()
+  return ComputeEngineChannelCredentials(call_creds)

src/python/grpcio/grpc/_cython/_cygrpc/grpc.pxi

@@ -504,8 +504,7 @@ cdef extern from "grpc/grpc_security.h":
   void grpc_set_ssl_roots_override_callback(
       grpc_ssl_roots_override_callback cb) nogil
 
-  grpc_channel_credentials *grpc_google_default_credentials_create() nogil
+  grpc_channel_credentials *grpc_google_default_credentials_create(grpc_call_credentials* call_credentials) nogil
-  grpc_channel_credentials *grpc_compute_engine_channel_credentials_create(void* reserved) nogil
   grpc_channel_credentials *grpc_ssl_credentials_create(
       const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
       verify_peer_options *verify_options, void *reserved) nogil

src/python/grpcio_tests/tests/interop/client.py

@@ -109,19 +109,21 @@ def get_secure_channel_parameters(args):
             % args.grpc_test_use_grpclb_with_child_policy),)
     if args.custom_credentials_type is not None:
         if args.custom_credentials_type == "compute_engine_channel_creds":
+            # channel_credentials = grpc.google_default_channel_credentials()
             if call_credentials is not None:
-                raise ValueError(
+                raise ValueError("What? That's not true! That's impossible!")
-                    "Cannot use both compute_engine_creds " +
-                    "and {} as call creds.".format(call_credentials))
             google_credentials, unused_project_id = google_auth.default(
                 scopes=[args.oauth_scope])
             call_creds = grpc.metadata_call_credentials(
                 google_auth.transport.grpc.AuthMetadataPlugin(
                     credentials=google_credentials,
                     request=google_auth.transport.requests.Request()))
-            channel_credentials = grpc.compute_engine_channel_credentials()
+            # TODO: Is there any reason why it actually had to take this argument?
-            channel_credentials = grpc.composite_channel_credentials(
+            # Couldn't we just as easily have created a composite channel credential?
-                channel_credentials, call_creds)
+            channel_credentials = grpc.compute_engine_channel_credentials(call_creds)
+            # channel_credentials = grpc.composite_channel_credentials(channel_credent)
+            #     channel_credentials = grpc.composite_channel_credentials(
+            #         channel_credentials, call_credentials)
         else:
             raise ValueError("Unknown credentials type '{}'".format(
                 args.custom_credentials_type))