diff --git a/gerrit_util.py b/gerrit_util.py
index a08ce1636..9e8a165a2 100644
--- a/gerrit_util.py
+++ b/gerrit_util.py
@@ -189,7 +189,7 @@ class CookiesAuthenticator(Authenticator):
         return 'https://%s/new-password' % ('.'.join(parts))
 
     @classmethod
-    def get_new_password_message(cls, host):
+    def _get_new_password_message(cls, host):
         if host is None:
             return ('Git host for Gerrit upload is unknown. Check your remote '
                     'and the branch your branch is tracking. This tool assumes '
@@ -252,6 +252,46 @@ class CookiesAuthenticator(Authenticator):
             return 'Bearer %s' % a[2], None
         return None, None
 
+
+    def ensure_authenticated(self, gerrit_host: str, git_host: str) -> Tuple[bool, str]:
+      """Returns (bypassable, error message).
+
+      If the error message is empty, there is no error to report.
+      If bypassable is true, the caller will allow the user to continue past the
+      error.
+      """
+      # Lazy-loader to identify Gerrit and Git hosts.
+      gerrit_auth = self._get_auth_for_host(gerrit_host)
+      git_auth = self._get_auth_for_host(git_host)
+      if gerrit_auth and git_auth:
+          if gerrit_auth == git_auth:
+              return True, ''
+          all_gsrc, _ = self.get_auth_info(
+              'd0esN0tEx1st.googlesource.com')
+          print(
+              'WARNING: You have different credentials for Gerrit and git hosts:\n'
+              '           %s\n'
+              '           %s\n'
+              '        Consider running the following command:\n'
+              '          git cl creds-check\n'
+              '        %s\n'
+              '        %s' %
+              (git_host, gerrit_host,
+               ('Hint: delete creds for .googlesource.com' if all_gsrc else
+                ''), self._get_new_password_message(git_host)))
+          return True, 'If you know what you are doing'
+
+      missing = (([] if gerrit_auth else [gerrit_host]) +
+                 ([] if git_auth else [git_host]))
+      return False, (
+        'Credentials for the following hosts are required:\n'
+        '  %s\n'
+        'These are read from %s\n'
+        '%s' %
+        ('\n  '.join(missing), self.get_gitcookies_path(),
+         self._get_new_password_message(git_host)))
+
+
     # Used to redact the cookies from the gitcookies file.
     GITCOOKIES_REDACT_RE = re.compile(r'1/.*')
 
diff --git a/git_cl.py b/git_cl.py
index 2d0ca89bc..ffbdcd65b 100755
--- a/git_cl.py
+++ b/git_cl.py
@@ -2312,37 +2312,14 @@ class Changelist(object):
         git_host = self._GetGitHost()
         assert self._gerrit_server and self._gerrit_host and git_host
 
-        gerrit_auth, _ = cookie_auth.get_auth_info(self._gerrit_host)
-        git_auth, _ = cookie_auth.get_auth_info(git_host)
-        if gerrit_auth and git_auth:
-            if gerrit_auth == git_auth:
-                return
-            all_gsrc, _ = cookie_auth.get_auth_info(
-                'd0esN0tEx1st.googlesource.com')
-            print(
-                'WARNING: You have different credentials for Gerrit and git hosts:\n'
-                '           %s\n'
-                '           %s\n'
-                '        Consider running the following command:\n'
-                '          git cl creds-check\n'
-                '        %s\n'
-                '        %s' %
-                (git_host, self._gerrit_host,
-                 ('Hint: delete creds for .googlesource.com' if all_gsrc else
-                  ''), cookie_auth.get_new_password_message(git_host)))
+        bypassable, msg = cookie_auth.ensure_authenticated(git_host, self._gerrit_host)
+        if not msg:
+            return  # OK
+        if bypassable:
             if not force:
-                confirm_or_exit('If you know what you are doing',
-                                action='continue')
-            return
-
-        missing = (([] if gerrit_auth else [self._gerrit_host]) +
-                   ([] if git_auth else [git_host]))
-        DieWithError('Credentials for the following hosts are required:\n'
-                     '  %s\n'
-                     'These are read from %s\n'
-                     '%s' %
-                     ('\n  '.join(missing), cookie_auth.get_gitcookies_path(),
-                      cookie_auth.get_new_password_message(git_host)))
+                confirm_or_exit(msg, action='continue')
+        else:
+          DieWithError(msg)
 
     def EnsureCanUploadPatchset(self, force):
         if not self.GetIssue():
diff --git a/tests/gerrit_util_test.py b/tests/gerrit_util_test.py
index 94d7d4c57..e7c407cc2 100755
--- a/tests/gerrit_util_test.py
+++ b/tests/gerrit_util_test.py
@@ -108,10 +108,10 @@ class CookiesAuthenticatorTest(unittest.TestCase):
         auth = gerrit_util.CookiesAuthenticator()
         self.assertIn(
             'https://chromium.googlesource.com/new-password',
-            auth.get_new_password_message('chromium-review.googlesource.com'))
+            auth._get_new_password_message('chromium-review.googlesource.com'))
         self.assertIn(
             'https://chrome-internal.googlesource.com/new-password',
-            auth.get_new_password_message('chrome-internal.googlesource.com'))
+            auth._get_new_password_message('chrome-internal.googlesource.com'))
 
     def testGetGitcookiesPath(self):
         self.assertEqual(