Update scopes when obtaining default token

The userinfo.email auth scope is required for obtaining access to the service account email associated with a token. Previously this scope was not provided resulting in no email information for the returned token. The email is needed for properly importing an OsLogin SSH key, thus causing a regression when using `use_os_login` with the DefaultTokenSource authentication method. Closes #82
hashicorp · Jul 25, 2022 · ba9c324 · ba9c324
1 parent 757a86c
commit ba9c324
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/builder/googlecompute/driver_gce.go b/builder/googlecompute/driver_gce.go
@@ -46,9 +46,9 @@ type GCEDriverConfig struct {
 }
 
 var DriverScopes = []string{
-	"https://www.googleapis.com/auth/userinfo.email",
 	"https://www.googleapis.com/auth/compute",
 	"https://www.googleapis.com/auth/devstorage.full_control",
+	"https://www.googleapis.com/auth/userinfo.email",
 }
 
 // Define a TokenSource that gets tokens from Vault
@@ -113,7 +113,8 @@ func NewClientOptionGoogle(account *ServiceAccount, vaultOauth string, impersona
 		opts = append(opts, option.WithCredentialsJSON(account.jsonKey))
 	} else {
 		log.Printf("[INFO] Requesting Google token via GCE API Default Client Token Source...")
-		ts, err := google.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform")
+		scopes := append(DriverScopes, "https://www.googleapis.com/auth/cloud-platform")
+		ts, err := google.DefaultTokenSource(context.TODO(), scopes...)
 		if err != nil {
 			return nil, err
 		}