internal/resource: fix gs:// fetches in GCE without a service account

When running in GCE, we assumed that we should always perform
authenticated GS fetches.  However, these can fail if the VM is not
associated with a service account, even if the object being fetched is
publicly readable:

    error while reading content from ...: metadata: GCE metadata "instance/service-accounts/default/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only" not defined

Query the VM's service account scopes first, and if that query fails
(presumably because there is no service account), fall back to anonymous
access.

internal/resource/url.go

@@ -354,18 +354,23 @@ func (f *Fetcher) fetchFromDataURL(u url.URL, dest io.Writer, opts FetchOptions)
 // credentials to fetch the object content.
 func (f *Fetcher) fetchFromGCS(u url.URL, dest io.Writer, opts FetchOptions) error {
 	ctx := context.Background()
-	var clientOption option.ClientOption
 	if f.GCSSession == nil {
+		clientOption := option.WithoutAuthentication()
 		if metadata.OnGCE() {
-			id, _ := metadata.ProjectID()
-			creds := &google.Credentials{
-				ProjectID:   id,
-				TokenSource: google.ComputeTokenSource("", storage.ScopeReadOnly),
+			// check whether the VM is associated with a service
+			// account
+			if _, err := metadata.Scopes(""); err == nil {
+				id, _ := metadata.ProjectID()
+				creds := &google.Credentials{
+					ProjectID:   id,
+					TokenSource: google.ComputeTokenSource("", storage.ScopeReadOnly),
+				}
+				clientOption = option.WithCredentials(creds)
+			} else {
+				f.Logger.Debug("falling back to unauthenticated GCS access: %v", err)
 			}
-			clientOption = option.WithCredentials(creds)
 		} else {
-			f.Logger.Debug("falling back to unauthenticated GCS access")
-			clientOption = option.WithoutAuthentication()
+			f.Logger.Debug("falling back to unauthenticated GCS access: not running in GCE")
 		}
 
 		var err error