storage: fix incorrect API scopes for IAM SignBlob API

[stanhu]

Previously when a service account attempted to use the IAM SignBlob API, the request would fail with a 403 ACCESS_TOKEN_SCOPE_INSUFFICIENT because the wrong scope was requested.

As documented in https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob, either https://www.googleapis.com/auth/iam or https://www.googleapis.com/auth/cloud-platform is needed.

This commit fixes an issue where the default authorization header with the https://www.googleapis.com/auth/devstorage.full_control scope was being used by the IAM service. This occurred because the previous code did not actually set the scope properly, and for the IAM service to work properly, we need to request a new access token with the correct scope.

Note that the service account in question needs to have the Service Account Token Creator IAM role to work.

Closes #599

[stanhu]

@Temikus Would you mind reviewing this? This seems to be a pretty critical fix for Google Kubernetes Engine users.

[Temikus]

And thanks for your contributions @stanhu as usual ❤️

[Temikus]

Kicked off the CI, once it passes will merge and release as soon as I can.

[Temikus]

@stanhu looks like there’s a small typo causing some errors - you can see the unit test run failing ‘rake test:unit’ for local if you need it.

[stanhu]

@stanhu looks like there’s a small typo causing some errors - you can see the unit test run failing ‘rake test:unit’ for local if you need it.

Thanks. That was a last-minute refactor, should be fixed now.

[Temikus]

LGTM, merging 👍 Will aim to release today if I can - if not - will push Friday.