yoshidan · yoshidan · Jul 26, 2024 · Jul 18, 2024 · Jul 18, 2024 · Jul 24, 2024
diff --git a/foundation/auth/src/project.rs b/foundation/auth/src/project.rs
@@ -3,6 +3,7 @@ use google_cloud_metadata::on_gce;
 use crate::credentials::CredentialsFile;
 use crate::misc::EMPTY;
 use crate::token_source::authorized_user_token_source::UserAccountTokenSource;
+use crate::token_source::compute_identity_source::ComputeIdentitySource;
 use crate::token_source::compute_token_source::ComputeTokenSource;
 use crate::token_source::reuse_token_source::ReuseTokenSource;
 use crate::token_source::service_account_token_source::OAuth2ServiceAccountTokenSource;
@@ -89,18 +90,38 @@ pub async fn create_token_source_from_credentials(
     Ok(Box::new(ReuseTokenSource::new(ts, token)))
 }
 
+/// Creates token source using gke metadata server.
+/// 
+/// Will use the audience if provided, generating an identity token source.
+/// Otherwise, will use the scopes if provided, generating an access token source.
+/// 
+/// Returns an error if neither audience nor scopes are provided, or if any technical error occurs.
+pub async fn create_token_source_from_metadata_server(config: &Config<'_>,) -> Result<Box<dyn TokenSource>, error::Error> {
+    match config.audience {
+        Some(audience) => {
+            let ts = ComputeIdentitySource::new(audience)?;
+            let token = ts.token().await?;
+            Ok(Box::new(ReuseTokenSource::new(Box::new(ts), token)))
+        },
+        None => {
+            if config.scopes.is_none() {
+                return Err(error::Error::ScopeOrAudienceRequired);
+            }
+            let ts = ComputeTokenSource::new(&config.scopes_to_string(","))?;
+            let token = ts.token().await?;
+            Ok(Box::new(ReuseTokenSource::new(Box::new(ts), token)))
+        }
+    }
+}
+
 /// create_token_source_from_project creates the token source.
 pub async fn create_token_source_from_project(
     project: &Project,
     config: Config<'_>,
 ) -> Result<Box<dyn TokenSource>, error::Error> {
     match project {
         Project::FromFile(file) => create_token_source_from_credentials(file, &config).await,
-        Project::FromMetadataServer(_) => {
-            let ts = ComputeTokenSource::new(&config.scopes_to_string(","))?;
-            let token = ts.token().await?;
-            Ok(Box::new(ReuseTokenSource::new(Box::new(ts), token)))
-        }
+        Project::FromMetadataServer(_) => create_token_source_from_metadata_server(&config).await,
     }
 }