stanhu
commented
5 months ago @Temikus Would you mind reviewing this? This seems to be a pretty critical fix for Google Kubernetes Engine users.
Closed stanhu closed 5 months ago
stanhu
commented
5 months ago @Temikus Would you mind reviewing this? This seems to be a pretty critical fix for Google Kubernetes Engine users.
Temikus
commented
5 months ago And thanks for your contributions @stanhu as usual ❤️
Temikus
commented
5 months ago Kicked off the CI, once it passes will merge and release as soon as I can.
Temikus
commented
5 months ago @stanhu looks like there’s a small typo causing some errors - you can see the unit test run failing ‘rake test:unit’ for local if you need it.
stanhu
commented
5 months ago @stanhu looks like there’s a small typo causing some errors - you can see the unit test run failing ‘rake test:unit’ for local if you need it.
Thanks. That was a last-minute refactor, should be fixed now.
Temikus
commented
5 months ago LGTM, merging 👍 Will aim to release today if I can - if not - will push Friday.
Previously when a service account attempted to use the IAM SignBlob API, the request would fail with a 403
ACCESS_TOKEN_SCOPE_INSUFFICIENTbecause the wrong scope was requested.As documented in https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob, either
https://www.googleapis.com/auth/iamorhttps://www.googleapis.com/auth/cloud-platformis needed.This commit fixes an issue where the default authorization header with the
https://www.googleapis.com/auth/devstorage.full_controlscope was being used by the IAM service. This occurred because the previous code did not actually set the scope properly, and for the IAM service to work properly, we need to request a new access token with the correct scope.Note that the service account in question needs to have the
Service Account Token CreatorIAM role to work.Closes #599