diff options
author | Thomas Picariello <thpica@gmail.com> | 2018-12-07 00:29:57 +1300 |
---|---|---|
committer | Toshio Kuratomi <a.badger@gmail.com> | 2018-12-06 09:43:35 -0800 |
commit | 768ad30fbce15844dcdc386bb7826fcd85170179 (patch) | |
tree | aec1abae37a5803762a0ea3a7d95a03be549f75a | |
parent | afb2e9d02949a9b53553c3d5af4bffea462bac41 (diff) | |
download | ansible-768ad30fbce15844dcdc386bb7826fcd85170179.tar.gz |
Fix google auth scoping for unscoped credentials (#46740)
* Fix google auth scoping for unscoped credentials
* Add changelog fragment
(cherry picked from commit c8ecac8dc21de19769be030eaf3222cd0f6f420e)
-rw-r--r-- | changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml | 2 | ||||
-rw-r--r-- | lib/ansible/module_utils/gcp_utils.py | 7 |
2 files changed, 5 insertions, 4 deletions
diff --git a/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml b/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml new file mode 100644 index 0000000000..067d645940 --- /dev/null +++ b/changelogs/fragments/46740-gcp-utils-credentials-scoping.yaml @@ -0,0 +1,2 @@ +bugfixes: + - "gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped." diff --git a/lib/ansible/module_utils/gcp_utils.py b/lib/ansible/module_utils/gcp_utils.py index cea381d027..1fbd07c252 100644 --- a/lib/ansible/module_utils/gcp_utils.py +++ b/lib/ansible/module_utils/gcp_utils.py @@ -103,8 +103,7 @@ class GcpSession(object): self.module.fail_json(msg=inst.message) def session(self): - return AuthorizedSession( - self._credentials().with_scopes(self.module.params['scopes'])) + return AuthorizedSession(self._credentials()) def _validate(self): if not HAS_REQUESTS: @@ -126,11 +125,11 @@ class GcpSession(object): def _credentials(self): cred_type = self.module.params['auth_kind'] if cred_type == 'application': - credentials, project_id = google.auth.default() + credentials, project_id = google.auth.default(scopes=self.module.params['scopes']) return credentials elif cred_type == 'serviceaccount': path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) - return service_account.Credentials.from_service_account_file(path) + return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes']) elif cred_type == 'machineaccount': return google.auth.compute_engine.Credentials( self.module.params['service_account_email']) |