hail
hail copied to clipboard
Use only the minimum viable scopes when creating cloud access tokens
What happened?
Hail's google/azure credential classes do not require the caller to specify scopes when requesting access tokens, and thus default to a very wide set of scopes, making those access tokens excessively powerful. An access token does not need to have the https://www.googleapis.com/auth/appengine.admin
scope to read a blob from GCS. This poses an unnecessary risk if such a token were leaked.
These classes should instead require that scopes be specified when requesting an access token, and call sights should specify the minimum set of scopes necessary to perform their function.
Version
0.2.120
Relevant log output
No response