_#### Environment details

• OS: Ubuntu 20.04
• Python version: 3.8
• pip version: 22.2.2
• google-auth version: 2.11.0

Steps to reproduce

1. Create a service account save the email in a environment variable SA_EMAIL.
2. Enable service account impersonation for your user (principal YOUR_EMAIL) with the role iam.serviceAccountTokenCreator. i.e:

gcloud iam service-accounts add-iam-policy-binding \
  --role=roles/iam.serviceAccountTokenCreator \
  --member=serviceAccount:${YOUR_EMAIL} ${SA_EMAIL}

3. Install google-auth and requests into your Python environment
   pip install google-auth requests.
4. Paste the following code into a test Python file (e.g test.py):

import sys

import google.auth  # type: ignore
import google.auth.impersonated_credentials  # type: ignore

import unittest

class TestSignBlob(unittest.TestCase):

  def test_sign_blob(self):
    credentials, _ = google.auth.default()

    service_account_email = 'agentic-local-sa@agenticcorp.iam.gserviceaccount.com'

    signing_credentials = google.auth.impersonated_credentials.Credentials(
      source_credentials=credentials,
      target_principal=service_account_email,
      target_scopes=('https://www.googleapis.com/auth/devstorage.read_only',),
      lifetime=300)
    self.assertNotEqual(signing_credentials.sign_bytes(b'test'), b'')

if __name__ == '__main__':
  unittest.main()

5. Run the test

python test.py

6. Observe that a socket has been leaked on test tear down:

sign_leak.py:20: ResourceWarning: unclosed <ssl.SSLSocket fd=4, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('172.23.11.59', 53774), raddr=('172.217.164.106', 443)>
  self.assertNotEqual(signing_credentials.sign_bytes(b'test'), b'')
ResourceWarning: Enable tracemalloc to get the object allocation traceback

It looks like the bug is here

The requests session object is created but it's never closed. It should eventually be closed by the GC but really since it's no longer required it should be closed in this method.