From 768ad30fbce15844dcdc386bb7826fcd85170179 Mon Sep 17 00:00:00 2001 From: Thomas Picariello Date: Fri, 7 Dec 2018 00:29:57 +1300 Subject: [PATCH] Fix google auth scoping for unscoped credentials (#46740) * Fix google auth scoping for unscoped credentials * Add changelog fragment (cherry picked from commit c8ecac8dc21de19769be030eaf3222cd0f6f420e) --- .../fragments/46740-gcp-utils-credentials-scoping.yaml | 2 ++ lib/ansible/module_utils/gcp_utils.py | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml diff --git a/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml b/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml new file mode 100644 index 00000000000..067d6459405 --- /dev/null +++ b/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml @@ -0,0 +1,2 @@ +bugfixes: + - "gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped." diff --git a/lib/ansible/module_utils/gcp_utils.py b/lib/ansible/module_utils/gcp_utils.py index cea381d0276..1fbd07c2527 100644 --- a/lib/ansible/module_utils/gcp_utils.py +++ b/lib/ansible/module_utils/gcp_utils.py @@ -103,8 +103,7 @@ class GcpSession(object): self.module.fail_json(msg=inst.message) def session(self): - return AuthorizedSession( - self._credentials().with_scopes(self.module.params['scopes'])) + return AuthorizedSession(self._credentials()) def _validate(self): if not HAS_REQUESTS: @@ -126,11 +125,11 @@ class GcpSession(object): def _credentials(self): cred_type = self.module.params['auth_kind'] if cred_type == 'application': - credentials, project_id = google.auth.default() + credentials, project_id = google.auth.default(scopes=self.module.params['scopes']) return credentials elif cred_type == 'serviceaccount': path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) - return service_account.Credentials.from_service_account_file(path) + return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes']) elif cred_type == 'machineaccount': return google.auth.compute_engine.Credentials( self.module.params['service_account_email'])