From 80a1ba7b91ccefc704cdd913f6bb2a4f369c5fe8 Mon Sep 17 00:00:00 2001
From: Benjamin Elder <bentheelder@google.com>
Date: Thu, 20 Feb 2020 14:07:14 -0800
Subject: [PATCH] fix get-kube authorization headers

---
 cluster/get-kube-binaries.sh | 15 ++-------------
 cluster/get-kube.sh          | 11 ++---------
 2 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/cluster/get-kube-binaries.sh b/cluster/get-kube-binaries.sh
index 1e3e1f6619cf..7a5f82ade57f 100755
--- a/cluster/get-kube-binaries.sh
+++ b/cluster/get-kube-binaries.sh
@@ -143,17 +143,6 @@ function sha1sum_file() {
   fi
 }
 
-# Get default service account credentials of the VM.
-GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
-function get-credentials {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
-    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
-}
-
-function valid-storage-scope {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
-}
-
 function download_tarball() {
   local -r download_path="$1"
   local -r file="$2"
@@ -163,8 +152,8 @@ function download_tarball() {
     # if the url belongs to GCS API we should use oauth2_token in the headers
     curl_headers=""
     if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
-       [[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
-      curl_headers="Authorization: Bearer $(get-credentials)"
+       [[ "$url" =~ ^https://storage.googleapis.com.* ]]; then
+      curl_headers="Authorization: Bearer $(gcloud auth print-access-token)"
     fi
     curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
   elif [[ $(which wget) ]]; then
diff --git a/cluster/get-kube.sh b/cluster/get-kube.sh
index 510ef378c12a..6931d0e3a7d8 100755
--- a/cluster/get-kube.sh
+++ b/cluster/get-kube.sh
@@ -122,13 +122,6 @@ function create_cluster {
   )
 }
 
-# Get default service account credentials of the VM.
-GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
-function get-credentials {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
-    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
-}
-
 function valid-storage-scope {
   curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
 }
@@ -242,8 +235,8 @@ if "${need_download}"; then
     # if the url belongs to GCS API we should use oauth2_token in the headers
     curl_headers=""
     if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
-       [[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
-      curl_headers="Authorization: Bearer $(get-credentials)"
+       [[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] ; then
+      curl_headers="Authorization: Bearer $(gcloud auth print-access-token)"
     fi
     curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}"
   elif [[ $(which wget) ]]; then