From 2febcab53fc442d39490a2ae8421cd6a9cf1e9eb Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@redhat.com>
Date: Mon, 9 May 2022 16:59:34 -0400
Subject: [PATCH] internal/resource: fix gs:// fetches in GCE without a service
 account

When running in GCE, we assumed that we should always perform
authenticated GS fetches.  However, these can fail if the VM is not
associated with a service account, even if the object being fetched is
publicly readable:

    error while reading content from ...: metadata: GCE metadata "instance/service-accounts/default/token?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only" not defined

Query the VM's service account scopes first, and if that query fails
(presumably because there is no service account), fall back to anonymous
access.
---
 internal/resource/url.go | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/internal/resource/url.go b/internal/resource/url.go
index b7873c54a..2696b6973 100644
--- a/internal/resource/url.go
+++ b/internal/resource/url.go
@@ -354,18 +354,23 @@ func (f *Fetcher) fetchFromDataURL(u url.URL, dest io.Writer, opts FetchOptions)
 // credentials to fetch the object content.
 func (f *Fetcher) fetchFromGCS(u url.URL, dest io.Writer, opts FetchOptions) error {
 	ctx := context.Background()
-	var clientOption option.ClientOption
 	if f.GCSSession == nil {
+		clientOption := option.WithoutAuthentication()
 		if metadata.OnGCE() {
-			id, _ := metadata.ProjectID()
-			creds := &google.Credentials{
-				ProjectID:   id,
-				TokenSource: google.ComputeTokenSource("", storage.ScopeReadOnly),
+			// check whether the VM is associated with a service
+			// account
+			if _, err := metadata.Scopes(""); err == nil {
+				id, _ := metadata.ProjectID()
+				creds := &google.Credentials{
+					ProjectID:   id,
+					TokenSource: google.ComputeTokenSource("", storage.ScopeReadOnly),
+				}
+				clientOption = option.WithCredentials(creds)
+			} else {
+				f.Logger.Debug("falling back to unauthenticated GCS access: %v", err)
 			}
-			clientOption = option.WithCredentials(creds)
 		} else {
-			f.Logger.Debug("falling back to unauthenticated GCS access")
-			clientOption = option.WithoutAuthentication()
+			f.Logger.Debug("falling back to unauthenticated GCS access: not running in GCE")
 		}
 
 		var err error