Merge pull request #629 from stanhu/sh-fix-storage-iam-scope

Author: Temikus

lib/fog/google/shared.rb

@@ -67,20 +67,21 @@ def initialize_google_client(options)
           ::Google::Apis.logger.level = ::Logger::DEBUG
         end
 
-        auth = nil
+        initialize_auth(options).tap do |auth|
+          ::Google::Apis::RequestOptions.default.authorization = auth
+        end
+      end
 
+      def initialize_auth(options)
         if options[:google_json_key_location] || options[:google_json_key_string]
-          auth = process_key_auth(options)
+          process_key_auth(options)
         elsif options[:google_auth]
-          auth = options[:google_auth]
+          options[:google_auth]
         elsif options[:google_application_default]
-          auth = process_application_default_auth(options)
+          process_application_default_auth(options)
         else
-          auth = process_fallback_auth(options)
+          process_fallback_auth(options)
         end
-
-        ::Google::Apis::RequestOptions.default.authorization = auth
-        auth
       end
 
       ##

lib/fog/storage/google_json.rb

@@ -29,7 +29,7 @@ class GoogleJSON < Fog::Service
 
       # Version of IAM API used for blob signing, see Fog::Storage::GoogleJSON::Real#iam_signer
       GOOGLE_STORAGE_JSON_IAM_API_VERSION = "v1".freeze
-      GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/devstorage.full_control).freeze
+      GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS = %w(https://www.googleapis.com/auth/iam).freeze
 
       # TODO: Come up with a way to only request a subset of permissions.
       # https://cloud.google.com/storage/docs/json_api/v1/how-tos/authorizing

lib/fog/storage/google_json/real.rb

@@ -10,16 +10,12 @@ class Real
 
         def initialize(options = {})
           shared_initialize(options[:google_project], GOOGLE_STORAGE_JSON_API_VERSION, GOOGLE_STORAGE_JSON_BASE_URL)
+          @options = options.dup
           options[:google_api_scope_url] = GOOGLE_STORAGE_JSON_API_SCOPE_URLS.join(" ")
           @host = options[:host] || "storage.googleapis.com"
 
           # TODO(temikus): Do we even need this client?
           @client = initialize_google_client(options)
-          # IAM client used for SignBlob API
-          @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new
-          apply_client_options(@iam_service, {
-                                 google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" ")
-                               })
 
           @storage_json = ::Google::Apis::StorageV1::StorageService.new
           apply_client_options(@storage_json, options)
@@ -141,6 +137,18 @@ def default_signer(string_to_sign)
           return key.sign(digest, string_to_sign)
         end
 
+        # IAM client used for SignBlob API.
+        # Lazily initialize this since it requires another authorization request.
+        def iam_service
+          return @iam_service if defined?(@iam_service)
+
+          @iam_service = ::Google::Apis::IamcredentialsV1::IAMCredentialsService.new
+          apply_client_options(@iam_service, @options)
+          iam_options = @options.merge(google_api_scope_url: GOOGLE_STORAGE_JSON_IAM_API_SCOPE_URLS.join(" "))
+          @iam_service.authorization = initialize_auth(iam_options)
+          @iam_service
+        end
+
         ##
         # Fallback URL signer using the IAM SignServiceAccountBlob API, see
         #   Google::Apis::IamcredentialsV1::IAMCredentialsService#sign_service_account_blob
@@ -162,7 +170,7 @@ def iam_signer(string_to_sign)
           )
 
           resource = "projects/-/serviceAccounts/#{google_access_id}"
-          response = @iam_service.sign_service_account_blob(resource, request)
+          response = iam_service.sign_service_account_blob(resource, request)
 
           return response.signed_blob
         end