storage: fix incorrect API scopes for IAM SignBlob API #629
Conversation
lib/fog/storage/google_json/real.rb
Outdated
| apply_client_options(@iam_service, @options) | ||
| iam_options = @options.merge(google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" "))) |
There was a problem hiding this comment.
In the future, it might be nicer to distinguish between options that are only used by this gem and options that are used by the Google SDK. It's not obvious that google_api_scope_url isn't passed all the way to the Google SDK.
|
@Temikus Would you mind reviewing this? This seems to be a pretty critical fix for Google Kubernetes Engine users. |
|
And thanks for your contributions @stanhu as usual ❤️ |
|
Kicked off the CI, once it passes will merge and release as soon as I can. |
|
@stanhu looks like there’s a small typo causing some errors - you can see the unit test run failing ‘rake test:unit’ for local if you need it. |
Previously when a service account attempted to use the IAM SignBlob API, the request would fail with a 403 `ACCESS_TOKEN_SCOPE_INSUFFICIENT` because the wrong scope was requested. As documented in https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob, either `https://www.googleapis.com/auth/iam` or `https://www.googleapis.com/auth/cloud-platform` is needed. This commit fixes an issue where the default authorization header with the `https://www.googleapis.com/auth/devstorage.full_control` scope was being used by the IAM service. This occurred because the previous code did not actually set the scope properly, and for the IAM service to work properly, we need to request a new access token with the correct scope. Note that the service account in question needs to have the `Service Account Token Creator` IAM role to work. Closes fog#599
stanhu
force-pushed
the
sh-fix-storage-iam-scope
branch
from
1866bc0 to
f8ca6ce
Compare
Thanks. That was a last-minute refactor, should be fixed now. |
|
LGTM, merging 👍 Will aim to release today if I can - if not - will push Friday. |
Previously when a service account attempted to use the IAM SignBlob API, the request would fail with a 403
ACCESS_TOKEN_SCOPE_INSUFFICIENTbecause the wrong scope was requested.As documented in
https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob, either
https://www.googleapis.com/auth/iamorhttps://www.googleapis.com/auth/cloud-platformis needed.This commit fixes an issue where the default authorization header with the
https://www.googleapis.com/auth/devstorage.full_controlscope was being used by the IAM service. This occurred because the previous code did not actually set the scope properly, and for the IAM service to work properly, we need to request a new access token with the correct scope.Note that the service account in question needs to have the
Service Account Token CreatorIAM role to work.Closes #599