Merge branch 'release-0.0.1.dev36'

spotify · May 8, 2020 · b3fe0a6 · b3fe0a6
2 parents 9efc9bb + 5160104
commit b3fe0a6
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 19 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,14 @@
 Changelog
 =========
 
+0.0.1.dev36 (2020-05-08)
+------------------------
+
+Changed
+~~~~~~~
+
+* Ensure to use correct email when calling metadata token url
+
 0.0.1.dev35 (2020-04-30)
 ------------------------
 

diff --git a/src/gordon_gcp/__init__.py b/src/gordon_gcp/__init__.py
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 __author__ = 'Lynn Root'
-__version__ = '0.0.1.dev35'
+__version__ = '0.0.1.dev36'
 __license__ = 'Apache 2.0'
 __email__ = 'lynn@spotify.com'
 __description__ = 'GCP Plugins for Gordon and Gordon Janitor'

diff --git a/src/gordon_gcp/clients/auth.py b/src/gordon_gcp/clients/auth.py
@@ -190,17 +190,31 @@ async def refresh_token(self):
     async def _refresh_token_using_compute_credentials(self):
         metadata_host = os.getenv(environment_vars.GCE_METADATA_ROOT,
                                   'metadata.google.internal')
-        url = (f'http://{metadata_host}/computeMetadata/'
-               'v1/instance/service-accounts/'
-               f'{self.creds._service_account_email}/token')
-        headers = {'metadata-flavor', 'google'}
-        await self._execute_refresh_token_request(url, 'GET', headers)
+
+        headers = {'Metadata-Flavor': 'Google'}
+        sa_url = (f'http://{metadata_host}/computeMetadata/'
+                  'v1/instance/service-accounts/'
+                  f'{self.creds._service_account_email}/'
+                  '?recursive=true')
+
+        sa_response = await self._execute_request(sa_url, 'GET', headers)
+        if 'email' in sa_response:
+            email = sa_response['email']
+        else:
+            email = self.creds._service_account_email
+
+        token_url = (f'http://{metadata_host}/computeMetadata/'
+                     'v1/instance/service-accounts/'
+                     f'{email}/token')
+        token_response = await self._execute_request(token_url, 'GET', headers)
+        self._handle_refresh_token_response(token_response)
 
     async def _refresh_token_using_service_account_credentials(self):
         url, headers, body = self._setup_token_request()
-        await self._execute_refresh_token_request(url, 'POST', headers, body)
+        response = await self._execute_request(url, 'POST', headers, body)
+        self._handle_refresh_token_response(response)
 
-    async def _execute_refresh_token_request(
+    async def _execute_request(
             self, url, method, headers, body=None):
         request_id = uuid.uuid4()
         logging.debug(_utils.REQ_LOG_FMT.format(
@@ -224,12 +238,14 @@ async def _execute_refresh_token_request(
                 logging.error(msg, exc_info=e)
                 raise exceptions.GCPHTTPResponseError(msg, resp.status)
 
-            response = await resp.json()
-            try:
-                self.token = response['access_token']
-            except KeyError:
-                msg = '[{request_id}] No access token in response.'
-                logging.error(msg)
-                raise exceptions.GCPAuthError(msg)
+            return await resp.json()
+
+    def _handle_refresh_token_response(self, response):
+        if 'access_token' in response:
+            self.token = response['access_token']
+        else:
+            msg = '[{request_id}] No access token in response.'
+            logging.error(msg)
+            raise exceptions.GCPAuthError(msg)
 
         self.expiry = _client._parse_expiry(response)
diff --git a/tests/unit/clients/test_auth.py b/tests/unit/clients/test_auth.py
@@ -278,14 +278,18 @@ async def test_refresh_token_with_compute_engine_cred(
         client_with_compute_engine_cred, mock_parse_expiry,
         caplog, payload_resp_refresh_token):
     """Successfully refresh access token with compute engine credentials ."""
-    url = ('http://metadata.google.internal/'
-           'computeMetadata/v1/instance/service-accounts/default/token')
+    sa_url = ('http://metadata.google.internal/'
+              'computeMetadata/v1/instance/service-accounts/default/'
+              '?recursive=true')
+    token_url = ('http://metadata.google.internal/'
+                 'computeMetadata/v1/instance/service-accounts/default/token')
     token = 'c0ffe3'
     with aioresponses() as mocked:
-        mocked.get(url, status=200, payload=payload_resp_refresh_token)
+        mocked.get(sa_url, status=200, payload={'email': 'default'})
+        mocked.get(token_url, status=200, payload=payload_resp_refresh_token)
         await client_with_compute_engine_cred.refresh_token()
     assert token == client_with_compute_engine_cred.token
-    assert 2 == len(caplog.records)
+    assert 4 == len(caplog.records)
 
 
 args = 'status,payload,exc,err_msg'