GCE builder: Switch to google.DefaultClient (#3655)
* GCE builder: Switch to google.DefaultClient This enables authentication through an authenticated gcloud tool. * GCE builder: Add docs about auth mech precedence
This commit is contained in:
parent
683cb121db
commit
0c1051a017
|
@ -50,15 +50,20 @@ func NewDriverGCE(ui packer.Ui, p string, a *AccountFile) (Driver, error) {
|
||||||
// your service account.
|
// your service account.
|
||||||
client = conf.Client(oauth2.NoContext)
|
client = conf.Client(oauth2.NoContext)
|
||||||
} else {
|
} else {
|
||||||
log.Printf("[INFO] Requesting Google token via GCE Service Role...")
|
log.Printf("[INFO] Requesting Google token via GCE API Default Client Token Source...")
|
||||||
client = &http.Client{
|
client, err = google.DefaultClient(oauth2.NoContext, DriverScopes...)
|
||||||
Transport: &oauth2.Transport{
|
// The DefaultClient uses the DefaultTokenSource of the google lib.
|
||||||
// Fetch from Google Compute Engine's metadata server to retrieve
|
// The DefaultTokenSource uses the "Application Default Credentials"
|
||||||
// an access token for the provided account.
|
// It looks for credentials in the following places, preferring the first location found:
|
||||||
// If no account is specified, "default" is used.
|
// 1. A JSON file whose path is specified by the
|
||||||
Source: google.ComputeTokenSource(""),
|
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
||||||
},
|
// 2. A JSON file in a location known to the gcloud command-line tool.
|
||||||
}
|
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
||||||
|
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
||||||
|
// 3. On Google App Engine it uses the appengine.AccessToken function.
|
||||||
|
// 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
|
||||||
|
// credentials from the metadata server.
|
||||||
|
// (In this final case any provided scopes are ignored.)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -74,6 +74,22 @@ straightforwarded, it is documented here.
|
||||||
4. Click "Generate new JSON key" for the Service Account you just created. A
|
4. Click "Generate new JSON key" for the Service Account you just created. A
|
||||||
JSON file will be downloaded automatically. This is your *account file*.
|
JSON file will be downloaded automatically. This is your *account file*.
|
||||||
|
|
||||||
|
### Precedence of Authentication Methods
|
||||||
|
|
||||||
|
Packer looks for credentials in the following places, preferring the first location found:
|
||||||
|
|
||||||
|
1. A `account_file` option in your packer file.
|
||||||
|
|
||||||
|
2. A JSON file (Service Account) whose path is specified by the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
|
||||||
|
|
||||||
|
3. A JSON file in a location known to the `gcloud` command-line tool. (`gcloud` creates it when it's configured)
|
||||||
|
|
||||||
|
On Windows, this is: `%APPDATA%/gcloud/application_default_credentials.json`.
|
||||||
|
|
||||||
|
On other systems: `$HOME/.config/gcloud/application_default_credentials.json`.
|
||||||
|
|
||||||
|
4. On Google Compute Engine and Google App Engine Managed VMs, it fetches credentials from the metadata server. (Needs a correct VM authentication scope configuration, see above)
|
||||||
|
|
||||||
## Basic Example
|
## Basic Example
|
||||||
|
|
||||||
Below is a fully functioning example. It doesn't do anything useful, since no
|
Below is a fully functioning example. It doesn't do anything useful, since no
|
||||||
|
|
Loading…
Reference in New Issue