about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-10-02T14·19+0100
committerVincent Ambo <github@tazj.in>2019-10-03T12·21+0100
commitf4f290957305a5a81292edef717a18a7c36be4bf (patch)
tree2c98ac4fa1b8bba9f4a37cc3e8f5e7c1106c77a4
parentaa02ae142166af23c1b6d8533b8eea5d6fa3e9a1 (diff)
fix(server): Specify correct authentication scope for GCS
When retrieving tokens for service service accounts, some methods of
retrieval require a scope to be specified.
-rw-r--r--tools/nixery/server/builder/builder.go5
1 files changed, 4 insertions, 1 deletions
diff --git a/tools/nixery/server/builder/builder.go b/tools/nixery/server/builder/builder.go
index 1bdd9212c770..ddfd4a078229 100644
--- a/tools/nixery/server/builder/builder.go
+++ b/tools/nixery/server/builder/builder.go
@@ -45,6 +45,9 @@ import (
 // use up is set at a lower point.
 const LayerBudget int = 94
 
+// API scope needed for renaming objects in GCS
+const gcsScope = "https://www.googleapis.com/auth/devstorage.read_write"
+
 // HTTP client to use for direct calls to APIs that are not part of the SDK
 var client = &http.Client{}
 
@@ -270,7 +273,7 @@ func prepareLayers(ctx context.Context, s *State, image *Image, graph *layers.Ru
 func renameObject(ctx context.Context, s *State, old, new string) error {
 	bucket := s.Cfg.Bucket
 
-	creds, err := google.FindDefaultCredentials(ctx)
+	creds, err := google.FindDefaultCredentials(ctx, gcsScope)
 	if err != nil {
 		return err
 	}