fix(auth/gcp): ensure correct OAuth scope for Artifact Registry with …

…service account Adjusted OAuth scope to `https://www.googleapis.com/auth/cloud-platform` for compatibility with both service account and Workload Identity setups, resolving invalid scope errors when accessing Artifact Registry.
falcosecurity · Nov 7, 2024 · 84a18c6 · 84a18c6
1 parent c3cd349
commit 84a18c6
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/internal/login/gcp/gcp.go b/internal/login/gcp/gcp.go
@@ -28,7 +28,7 @@ import (
 // Login checks if passed gcp credentials are correct.
 func Login(ctx context.Context, reg string) error {
 	// Check that we can find a valid token source using GCE or ApplicationDefault.
-	ts, err := google.DefaultTokenSource(ctx)
+	ts, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
 	if err != nil {
 		return fmt.Errorf("wrong GCP token source, unable to find a valid source: %w", err)
 	}

diff --git a/pkg/oci/authn/gcp.go b/pkg/oci/authn/gcp.go
@@ -55,7 +55,7 @@ func GCPCredential(ctx context.Context, reg string) (auth.Credential, error) {
 
 	// load saved tokenSource or saves it
 	if SavedTokenSource == nil {
-		tokenSource, err = google.DefaultTokenSource(ctx)
+		tokenSource, err = google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
 		if err != nil {
 			return auth.EmptyCredential, fmt.Errorf("error while trying to identify a GCP TokenSource %w", err)
 		}