From f4f290957305a5a81292edef717a18a7c36be4bf Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Wed, 2 Oct 2019 15:19:28 +0100
Subject: fix(server): Specify correct authentication scope for GCS

When retrieving tokens for service service accounts, some methods of
retrieval require a scope to be specified.
---
 tools/nixery/server/builder/builder.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'tools')

diff --git a/tools/nixery/server/builder/builder.go b/tools/nixery/server/builder/builder.go
index 1bdd9212c7..ddfd4a0782 100644
--- a/tools/nixery/server/builder/builder.go
+++ b/tools/nixery/server/builder/builder.go
@@ -45,6 +45,9 @@ import (
 // use up is set at a lower point.
 const LayerBudget int = 94
 
+// API scope needed for renaming objects in GCS
+const gcsScope = "https://www.googleapis.com/auth/devstorage.read_write"
+
 // HTTP client to use for direct calls to APIs that are not part of the SDK
 var client = &http.Client{}
 
@@ -270,7 +273,7 @@ func prepareLayers(ctx context.Context, s *State, image *Image, graph *layers.Ru
 func renameObject(ctx context.Context, s *State, old, new string) error {
 	bucket := s.Cfg.Bucket
 
-	creds, err := google.FindDefaultCredentials(ctx)
+	creds, err := google.FindDefaultCredentials(ctx, gcsScope)
 	if err != nil {
 		return err
 	}
-- 
cgit 1.4.1