Avoid committing hard coded secrets

[johnkrah-aws]

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Please run down the following list and make sure you've tried the usual "quick fixes":

• Search the issues already opened: https://github.com/googleapis/google-auth-library-python/issues

looked and didn't see an open or closed issue related to this finding.

If you are still having issues, please be sure to include as much information as possible:

Environment details

environment is probably not relevant to this static code finding, but just in case:

• OS: Linux 5.4.241-160.348.amzn2int.x86_64
• Python version: 3.7.16
• pip version: 23.1.2
• google-auth version: 2.19.1

Steps to reproduce

1. notice that there are hard coded secrets in a test suite, specifically AWS account access key id, secret access key, and session token. why are hard coded secrets bad? https://maturitymodel.security.aws.dev/en/2.-foundational/dont-store-secrets-in-code/
2. if this was production code we'd recommend using AWS Secrets Manager, here's a helpful guide: https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html.
3. since they are test only: replace with fictitious/mock values, AWS APIs suggest some examples such as: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetAccessKeyInfo.html and https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html in this case.
4. profit, or non-profit as appropriate

Making sure to follow these steps will guarantee the quickest resolution possible.

Thanks!

Welcome! Posting this issue for tracking, already have a pull request ready to resolve this finding. Thank you!