New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(storage): fix system test and change scope for iam access token #47
fix(storage): fix system test and change scope for iam access token #47
Conversation
System test throws 'Identity and Access Management (IAM) API has not been used in project before or it is disabled. ' error, so need (IAM) permission for this project. |
tests/system.py
Outdated
@@ -1066,7 +1067,7 @@ def test_create_signed_read_url_v4_w_access_token(self): | |||
client = iam_credentials_v1.IAMCredentialsClient() | |||
service_account_email = Config.CLIENT._credentials.service_account_email | |||
name = client.service_account_path("-", service_account_email) | |||
scope = ["https://www.googleapis.com/auth/devstorage.read_write"] | |||
scope = ["https://www.googleapis.com/auth/cloud-platform"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(we don't have to block merging on this as it is a test, but if this is needed it seems like a large scope for narrow use?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I can confirm that both tests fail on master with a 403 without this patch.
Update: it fails even with the cloud-platform
scope for me on master
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you narrow the scope down to: https://www.googleapis.com/auth/iam
Documented at the bottom of the following document: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, you can do join both:
scope = ['https://www.googleapis.com/auth/devstorage.read_write', 'https://www.googleapis.com/auth/iam']
…oogleapis#47) * fix(storage): change scope for iam access token * fix: narrow scope * fix: trailing commas * chore: blacken Co-authored-by: Christopher Wilcox <crwilcox@google.com>
…oogleapis#47) * fix(storage): change scope for iam access token * fix: narrow scope * fix: trailing commas * chore: blacken Co-authored-by: Christopher Wilcox <crwilcox@google.com>
Fixes #46