The code below runs on an AWS EKS container and the service account has a WIF pool configured.

def get_gcp_credentials_via_aws_federation(
service_account: str,
audience: str,
scopes: List[str] = ["https://www.googleapis.com/auth/cloud-platform"],
) -> aws.Credentials:
json_config_info = {
    "type": "external_account",
    "audience": audience,
    "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
    "service_account_impersonation_url": f"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{service_account}:generateAccessToken",
    "token_url": "https://sts.googleapis.com/v1/token",
    "credential_source": {
        "environment_id": "aws1",
        "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
        "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
        "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
        "imdsv2_session_token_url": "http://169.254.169.254/latest/api/token",
    },
}
credentials = aws.Credentials.from_info(json_config_info).with_scopes(scopes=scopes)
request = google.auth.transport.requests.Request()
credentials.refresh(request)

return credentials

However it fails while credentials.refresh with the log:

/google/auth/aws.py”, line 441, in get_aws_security_credentials
credentials = self._get_metadata_security_credentials(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /google/auth/aws.py”, line
556, in _get_metadata_security_credentials credentials_response =
json.loads(response_body)

The response body is empty and json.loads() fails.

What could be causing this?