Merge remote-tracking branch 'origin/feat/requester-pays' into feat/r…

…equester-pays
uc-cdis · Jul 31, 2019 · ab1f61e · ab1f61e
2 parents 54b163a + 67a9a37
commit ab1f61e
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/docs/google_architecture.md b/docs/google_architecture.md
@@ -127,7 +127,7 @@ If you want Fence to automatically attempt to provide the necessary permissions
 1) For [Signed URLs](#signed-urls): a `userProject=<google-project-to-bill>` query parameter will be appended to the signed url
     * will only be appended if a valid `userProject` is provided in the request **or** Fence is configured with a "default billing project" for signed URLs
     * if Fence is configured to automatically enable billing permission, it will do that for the service account used to sign the URL
-2) For [Temporary Service Account Credentials](#temporary-service-account-credentials): iff Fence was configured to automatically enable billing permission, the service account key provided will have the necessary permissions on the `userProject` provided (in request or configured "default billing project") so that subsequent requests to Google using these service account credentials will allow specifying that `userProject` to bill
+2) For [Temporary Service Account Credentials](#temporary-service-account-credentials): if Fence was configured to automatically enable billing permission, the service account key provided will have the necessary permissions on the `userProject` provided (in request or configured "default billing project") so that subsequent requests to Google using these service account credentials will allow specifying that `userProject` to bill
     * depending on how the creds are used, this may involve adding additional query params or args to Google SDKs/services to provide the `userProject`
 
 Example for Google's Cloud Storage SDK `gsutil`:

diff --git a/fence/config.py b/fence/config.py
@@ -104,7 +104,7 @@ def post_process(self):
                 logger.warning(
                     "Configuration does not restrict end-user access to billing. Correcting. "
                     "BILLING_PROJECT_FOR_SA_CREDS or BILLING_PROJECT_FOR_SIGNED_URLS is set to a non-None value. "
-                    "USER_ALLOWED_SCOPES includes `google_credentials`. Removing "
+                    "SESSION_ALLOWED_SCOPES includes `google_credentials`. Removing "
                     "`google_credentials` from USER_ALLOWED_SCOPES as this could allow "
                     "end-users to indescriminently bill our default project. Clients are inheritently "
                     "trusted, so we do not restrict this scope for clients."

diff --git a/fence/resources/google/utils.py b/fence/resources/google/utils.py
@@ -209,7 +209,7 @@ def give_service_account_billing_access_if_necessary(
         sa_account_id = sa_private_key.get("client_email")
 
         try:
-            # if a project is provided, attempt to create custom role that gives
+            # attempt to create custom role that gives
             # the SA access to bill the project provided
             # NOTE: this may fail if our fence SA doesn't have the right permissions
             #       to add this role and update the project policy