Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(storage): fix system test and change scope for iam access token #47

Merged
merged 6 commits into from Feb 12, 2020

Conversation

@HemangChothani
Copy link
Contributor

@HemangChothani HemangChothani commented Feb 6, 2020

Fixes #46

@HemangChothani
Copy link
Contributor Author

@HemangChothani HemangChothani commented Feb 6, 2020

System test throws 'Identity and Access Management (IAM) API has not been used in project before or it is disabled. ' error, so need (IAM) permission for this project.

tests/system.py Outdated
@@ -1066,7 +1067,7 @@ def test_create_signed_read_url_v4_w_access_token(self):
client = iam_credentials_v1.IAMCredentialsClient()
service_account_email = Config.CLIENT._credentials.service_account_email
name = client.service_account_path("-", service_account_email)
scope = ["https://www.googleapis.com/auth/devstorage.read_write"]
scope = ["https://www.googleapis.com/auth/cloud-platform"]
Copy link
Contributor

@crwilcox crwilcox Feb 11, 2020

This seems like a lot of access. @jkwlui @frankyn is this scope needed for this?

Copy link
Contributor

@crwilcox crwilcox Feb 11, 2020

(we don't have to block merging on this as it is a test, but if this is needed it seems like a large scope for narrow use?)

Copy link
Contributor

@tseaver tseaver Feb 11, 2020

FWIW, I can confirm that both tests fail on master with a 403 without this patch.

Update: it fails even with the cloud-platform scope for me on master.

Copy link
Member

@frankyn frankyn Feb 11, 2020

Could you narrow the scope down to: https://www.googleapis.com/auth/iam

Documented at the bottom of the following document: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob

Copy link
Member

@frankyn frankyn Feb 11, 2020

To clarify, you can do join both:

scope = ['https://www.googleapis.com/auth/devstorage.read_write', 'https://www.googleapis.com/auth/iam']

tests/system.py Outdated Show resolved Hide resolved
@crwilcox crwilcox merged commit bc5375f into googleapis:master Feb 12, 2020
3 checks passed
cojenco added a commit to cojenco/python-storage that referenced this issue Oct 13, 2021
…oogleapis#47)

* fix(storage): change scope for iam access token

* fix: narrow scope

* fix: trailing commas

* chore: blacken

Co-authored-by: Christopher Wilcox <crwilcox@google.com>
cojenco added a commit to cojenco/python-storage that referenced this issue Oct 13, 2021
…oogleapis#47)

* fix(storage): change scope for iam access token

* fix: narrow scope

* fix: trailing commas

* chore: blacken

Co-authored-by: Christopher Wilcox <crwilcox@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

6 participants