configurable scopes for gcp default credentials

- add config.scopes field comma-separated scope URLs, to be used with Google Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env) - default scopes now include userinfo.email scope so the headless app with gserviceaccount keys can have RoleBindings with email instead of account ID. Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
kubernetes · Jan 18, 2018 · e19dc6a · e19dc6a
1 parent 8d24ce1
commit e19dc6a
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go
@@ -55,6 +55,14 @@ var execCommand = exec.Command
 //     "name": "gcp",
 //
 //     'config': {
+//       # Authentication options
+//       # These options are used while getting a token.
+//
+//       # comma-separated list of GCP API scopes. default value of this field
+//       # is "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".
+// 		 # to override the API scopes, specify this field explicitly.
+//       "scopes": "https://www.googleapis.com/auth/cloud-platform"
+//
 //       # Caching options
 //
 //       # Raw string data representing cached access token.
@@ -102,6 +110,9 @@ func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restcli
 		if len(cmd) == 0 {
 			return nil, fmt.Errorf("missing access token cmd")
 		}
+		if gcpConfig["scopes"] != "" {
+			return nil, fmt.Errorf("scopes can only be used when kubectl is using a gcp service account key")
+		}
 		var args []string
 		if cmdArgs, ok := gcpConfig["cmd-args"]; ok {
 			args = strings.Fields(cmdArgs)
@@ -112,7 +123,17 @@ func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restcli
 		}
 		ts = newCmdTokenSource(cmd, args, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
 	} else {
-		ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+		var scopes []string
+		if gcpConfig["scopes"] != "" {
+			scopes = strings.Split(gcpConfig["scopes"], ",")
+		} else {
+			// default scopes: userinfo.email is used to authenticate to
+			// GKE APIs with gserviceaccount email instead of numeric uniqueID.
+			scopes = []string{
+				"https://www.googleapis.com/auth/cloud-platform",
+				"https://www.googleapis.com/auth/userinfo.email"}
+		}
+		ts, err = google.DefaultTokenSource(context.Background(), scopes...)
 	}
 	if err != nil {
 		return nil, err