From 6d398fdb073d71071c45ddaf6e4783ea22886d45 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Fri, 21 Jan 2022 15:11:07 +0100
Subject: [PATCH] fix: set default scopes (Google Cloud Platform) if no scope
 provided for impersonate service account credential type.

---
 google/google.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/google/google.go b/google/google.go
index ccc23ee0a..d8bbf2a88 100644
--- a/google/google.go
+++ b/google/google.go
@@ -189,15 +189,18 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 		if f.ServiceAccountImpersonationURL == "" || f.SourceCredentials == nil {
 			return nil, errors.New("missing 'source_credentials' field or 'service_account_impersonation_url' in credentials")
 		}
-
 		ts, err := f.SourceCredentials.tokenSource(ctx, params)
 		if err != nil {
 			return nil, err
 		}
+		scopes := params.Scopes
+		if len(scopes) == 0 {
+			scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
+		}
 		imp := externalaccount.ImpersonateTokenSource{
 			Ctx:       ctx,
 			URL:       f.ServiceAccountImpersonationURL,
-			Scopes:    params.Scopes,
+			Scopes:    scopes,
 			Ts:        ts,
 			Delegates: f.Delegates,
 		}