[auth/gcp] looking up IAM email before fetching keyset

nytimes · Nov 5, 2018 · 3093522 · 3093522
1 parent ef75c2c
commit 3093522
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/auth/gcp/iam.go b/auth/gcp/iam.go
@@ -40,20 +40,19 @@ type IAMClaimSet struct {
 // NewDefaultIAMVerifier will verify tokens that have the same default service account as
 // the server running this verifier.
 func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error) {
-	ks, err := NewIAMPublicKeySource(ctx, cfg, clientFunc)
-	if err != nil {
-		return nil, err
-	}
-
 	eml := cfg.ServiceAccountEmail
-	// only fall back if one isn't injected
 	if eml == "" {
 		eml, err = GetDefaultEmail(ctx, "", clientFunc(ctx))
 		if err != nil {
 			return nil, errors.Wrap(err, "unable to get default email")
 		}
 	}
 
+	ks, err := NewIAMPublicKeySource(ctx, cfg, clientFunc)
+	if err != nil {
+		return nil, err
+	}
+
 	return auth.NewVerifier(ks,
 		IAMClaimsDecoderFunc, VerifyIAMEmails(ctx, []string{eml}, cfg.Audience)), nil
 }