From ba9c3241ece3d11cb422dc6815f6a613173a32aa Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Mon, 25 Jul 2022 14:38:21 -0400 Subject: [PATCH] Update scopes when obtaining default token The userinfo.email auth scope is required for obtaining access to the service account email associated with a token. Previously this scope was not provided resulting in no email information for the returned token. The email is needed for properly importing an OsLogin SSH key, thus causing a regression when using `use_os_login` with the DefaultTokenSource authentication method. Closes #82 --- builder/googlecompute/driver_gce.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/builder/googlecompute/driver_gce.go b/builder/googlecompute/driver_gce.go index 94a7fd70..f60750af 100644 --- a/builder/googlecompute/driver_gce.go +++ b/builder/googlecompute/driver_gce.go @@ -46,9 +46,9 @@ type GCEDriverConfig struct { } var DriverScopes = []string{ - "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/devstorage.full_control", + "https://www.googleapis.com/auth/userinfo.email", } // Define a TokenSource that gets tokens from Vault @@ -113,7 +113,8 @@ func NewClientOptionGoogle(account *ServiceAccount, vaultOauth string, impersona opts = append(opts, option.WithCredentialsJSON(account.jsonKey)) } else { log.Printf("[INFO] Requesting Google token via GCE API Default Client Token Source...") - ts, err := google.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform") + scopes := append(DriverScopes, "https://www.googleapis.com/auth/cloud-platform") + ts, err := google.DefaultTokenSource(context.TODO(), scopes...) if err != nil { return nil, err }