From e2116ef572ee2951ecb85bf9e5c9954c7797c5f3 Mon Sep 17 00:00:00 2001
From: Michael Taufen <mtaufen@google.com>
Date: Thu, 30 May 2019 16:55:42 -0700
Subject: [PATCH] Windows startup scripts should use Authorization header for
 GCS requests

Requests against private buckets will fail unless the VM has storage
scope and the default service account token is provided in the request
header.

This PR replicates the following Linux changes for Windows:
- https://github.com/kubernetes/kubernetes/pull/74142
- https://github.com/kubernetes/kubernetes/pull/75269
---
 cluster/gce/windows/common.psm1 | 34 +++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/cluster/gce/windows/common.psm1 b/cluster/gce/windows/common.psm1
index 0fd691ab225..a6d6ceee98f 100644
--- a/cluster/gce/windows/common.psm1
+++ b/cluster/gce/windows/common.psm1
@@ -131,16 +131,23 @@ function MustDownload-File {
   param (
     [parameter(Mandatory=$false)] [string]$Hash,
     [parameter(Mandatory=$true)] [string]$OutFile,
-    [parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs
+    [parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
+    [parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}
   )
 
   While($true) {
     ForEach($url in $URLs) {
+      # If the URL is for GCS and the node has dev storage scope, add the
+      # service account token to the request headers.
+      if (($url -match "^https://storage`.googleapis`.com.*") -and $(Check-StorageScope)) {
+        $Headers["Authorization"] = "Bearer $(Get-Credentials)"
+      }
+
       # Attempt to download the file
       Try {
         # TODO(mtaufen): When we finally get a Windows version that has Powershell 6
         # installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust.
-        Invoke-WebRequest $url -OutFile $OutFile -TimeoutSec 300
+        $result = Invoke-WebRequest $url -Headers $Headers -OutFile $OutFile -TimeoutSec 300
       } Catch {
         $message = $_.Exception.ToString()
         Log-Output "Failed to download file from $url. Will retry. Error: $message"
@@ -164,6 +171,29 @@ function MustDownload-File {
   }
 }
 
+# Returns the default service account token for the VM, retrieved from
+# the instance metadata.
+function Get-Credentials {
+  While($true) {
+    $data = Get-InstanceMetadata -Key "service-accounts/default/token"
+    if ($data) {
+      return ($data | ConvertFrom-Json).access_token
+    }
+    Start-Sleep -Seconds 1
+  }
+}
+
+# Returns True if the VM has the dev storage scope, False otherwise.
+function Check-StorageScope {
+  While($true) {
+    $data = Get-InstanceMetadata -Key "service-accounts/default/scopes"
+    if ($data) {
+      return ($data -match "auth/devstorage")
+    }
+    Start-Sleep -Seconds 1
+  }
+}
+
 # This compiles some C# code that can make syscalls, and pulls the
 # result into our powershell environment so we can make syscalls from this script.
 # We make syscalls directly, because whatever the powershell cmdlets do under the hood,