From 1d56d56f3d5760daf65e1bfe42075379d74e6b75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20P=C3=A9rez=20Hern=C3=A1ndez?= Date: Mon, 11 Mar 2019 11:57:01 -0700 Subject: [PATCH] gce: configure: validate SA has storage scope If the VM SA doesn't have storage scope associated, don't use the token in the curl request or the request will fail with 403. --- cluster/gce/gci/configure.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh index f6b2501a0b..b5cc1ff6ce 100644 --- a/cluster/gce/gci/configure.sh +++ b/cluster/gce/gci/configure.sh @@ -124,11 +124,16 @@ function validate-hash { } # Get default service account credentials of the VM. +GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance" function get-credentials { - curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \ + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \ 'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])' } +function valid-storage-scope { + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage" +} + # Retry a download until we get it. Takes a hash and a set of URLs. # # $1 is the sha1 of the URL. Can be "" if the sha1 is unknown. @@ -144,7 +149,7 @@ function download-or-bust { rm -f "${file}" # if the url belongs to GCS API we should use oauth2_token in the headers local curl_headers="" - if [[ "$url" =~ ^https://storage.googleapis.com.* ]]; then + if [[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then curl_headers="Authorization: Bearer $(get-credentials)" fi if ! curl ${curl_headers:+-H "${curl_headers}"} -f --ipv4 -Lo "${file}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 ${CURL_RETRY_CONNREFUSED} "${url}"; then