From 30935227dab5be4c21481db595804a63eb82f802 Mon Sep 17 00:00:00 2001
From: JP Robinson <john.paul.robinson@gmail.com>
Date: Mon, 5 Nov 2018 17:27:24 -0500
Subject: [PATCH] [auth/gcp] looking up IAM email before fetching keyset

---
 auth/gcp/iam.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/auth/gcp/iam.go b/auth/gcp/iam.go
index 683d757f1..e0b80afee 100644
--- a/auth/gcp/iam.go
+++ b/auth/gcp/iam.go
@@ -40,13 +40,7 @@ type IAMClaimSet struct {
 // NewDefaultIAMVerifier will verify tokens that have the same default service account as
 // the server running this verifier.
 func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error) {
-	ks, err := NewIAMPublicKeySource(ctx, cfg, clientFunc)
-	if err != nil {
-		return nil, err
-	}
-
 	eml := cfg.ServiceAccountEmail
-	// only fall back if one isn't injected
 	if eml == "" {
 		eml, err = GetDefaultEmail(ctx, "", clientFunc(ctx))
 		if err != nil {
@@ -54,6 +48,11 @@ func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(c
 		}
 	}
 
+	ks, err := NewIAMPublicKeySource(ctx, cfg, clientFunc)
+	if err != nil {
+		return nil, err
+	}
+
 	return auth.NewVerifier(ks,
 		IAMClaimsDecoderFunc, VerifyIAMEmails(ctx, []string{eml}, cfg.Audience)), nil
 }