Fix google auth scoping for unscoped credentials (#46740)
* Fix google auth scoping for unscoped credentials * Add changelog fragment
This commit is contained in:
parent
5392caee14
commit
c8ecac8dc2
2 changed files with 5 additions and 4 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- "gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped."
|
|
@ -103,8 +103,7 @@ class GcpSession(object):
|
||||||
self.module.fail_json(msg=inst.message)
|
self.module.fail_json(msg=inst.message)
|
||||||
|
|
||||||
def session(self):
|
def session(self):
|
||||||
return AuthorizedSession(
|
return AuthorizedSession(self._credentials())
|
||||||
self._credentials().with_scopes(self.module.params['scopes']))
|
|
||||||
|
|
||||||
def _validate(self):
|
def _validate(self):
|
||||||
if not HAS_REQUESTS:
|
if not HAS_REQUESTS:
|
||||||
|
@ -126,11 +125,11 @@ class GcpSession(object):
|
||||||
def _credentials(self):
|
def _credentials(self):
|
||||||
cred_type = self.module.params['auth_kind']
|
cred_type = self.module.params['auth_kind']
|
||||||
if cred_type == 'application':
|
if cred_type == 'application':
|
||||||
credentials, project_id = google.auth.default()
|
credentials, project_id = google.auth.default(scopes=self.module.params['scopes'])
|
||||||
return credentials
|
return credentials
|
||||||
elif cred_type == 'serviceaccount':
|
elif cred_type == 'serviceaccount':
|
||||||
path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
|
path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
|
||||||
return service_account.Credentials.from_service_account_file(path)
|
return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
|
||||||
elif cred_type == 'machineaccount':
|
elif cred_type == 'machineaccount':
|
||||||
return google.auth.compute_engine.Credentials(
|
return google.auth.compute_engine.Credentials(
|
||||||
self.module.params['service_account_email'])
|
self.module.params['service_account_email'])
|
||||||
|
|
Loading…
Reference in a new issue