Fix google auth scoping for unscoped credentials (#46740)

* Fix google auth scoping for unscoped credentials

* Add changelog fragment
This commit is contained in:
Thomas Picariello 2018-12-07 00:29:57 +13:00 committed by John R Barker
parent 5392caee14
commit c8ecac8dc2
2 changed files with 5 additions and 4 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- "gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped."

View file

@ -103,8 +103,7 @@ class GcpSession(object):
self.module.fail_json(msg=inst.message) self.module.fail_json(msg=inst.message)
def session(self): def session(self):
return AuthorizedSession( return AuthorizedSession(self._credentials())
self._credentials().with_scopes(self.module.params['scopes']))
def _validate(self): def _validate(self):
if not HAS_REQUESTS: if not HAS_REQUESTS:
@ -126,11 +125,11 @@ class GcpSession(object):
def _credentials(self): def _credentials(self):
cred_type = self.module.params['auth_kind'] cred_type = self.module.params['auth_kind']
if cred_type == 'application': if cred_type == 'application':
credentials, project_id = google.auth.default() credentials, project_id = google.auth.default(scopes=self.module.params['scopes'])
return credentials return credentials
elif cred_type == 'serviceaccount': elif cred_type == 'serviceaccount':
path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
return service_account.Credentials.from_service_account_file(path) return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
elif cred_type == 'machineaccount': elif cred_type == 'machineaccount':
return google.auth.compute_engine.Credentials( return google.auth.compute_engine.Credentials(
self.module.params['service_account_email']) self.module.params['service_account_email'])