fix get-kube authorization headers

BenTheElder · BenTheElder · commit f90726a6a6f7 · 2020-02-20T14:07:14.000-08:00
diff --git a/cluster/get-kube-binaries.sh b/cluster/get-kube-binaries.sh
@@ -143,17 +143,6 @@ function sha1sum_file() {
   fi
 }
 
-# Get default service account credentials of the VM.
-GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
-function get-credentials {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
-    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
-}
-
-function valid-storage-scope {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
-}
-
 function download_tarball() {
   local -r download_path="$1"
   local -r file="$2"
@@ -168,8 +157,8 @@ function download_tarball() {
     # if the url belongs to GCS API we should use oauth2_token in the headers
     curl_headers=""
     if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
-       [[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
-      curl_headers="Authorization: Bearer $(get-credentials)"
+       [[ "$url" =~ ^https://storage.googleapis.com.* ]]; then
+      curl_headers="Authorization: Bearer $(gcloud auth print-access-token)"
     fi
     curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
   elif [[ $(which wget) ]]; then
diff --git a/cluster/get-kube.sh b/cluster/get-kube.sh
@@ -122,13 +122,6 @@ function create_cluster {
   )
 }
 
-# Get default service account credentials of the VM.
-GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
-function get-credentials {
-  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
-    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
-}
-
 function valid-storage-scope {
   curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
 }
@@ -242,8 +235,8 @@ if "${need_download}"; then
     # if the url belongs to GCS API we should use oauth2_token in the headers
     curl_headers=""
     if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
-       [[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
-      curl_headers="Authorization: Bearer $(get-credentials)"
+       [[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] ; then
+      curl_headers="Authorization: Bearer $(gcloud auth print-access-token)"
     fi
     curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}"
   elif [[ $(which wget) ]]; then
