Use the instance service key for registry JWT signing

util/secscan/api.py

@@ -8,7 +8,8 @@ from data.database import CloseForLongOperation
 from data import model
 from data.model.storage import get_storage_locations
 from util.secscan.validator import SecurityConfigValidator
-from util.security.registry_jwt import generate_jwt_object, build_context_and_subject
+from util.security.instancekeys import InstanceKeys
+from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
 from util import get_app_url
 
 
@@ -43,6 +44,7 @@ class SecurityScannerAPI(object):
 
     self._app = app
     self._config = config
+    self._instance_keys = InstanceKeys(app)
     self._client = client or config['HTTPCLIENT']
     self._storage = storage
     self._default_storage_locations = config['DISTRIBUTED_STORAGE_PREFERENCE']
@@ -80,9 +82,10 @@ class SecurityScannerAPI(object):
         'name': repository_and_namespace,
         'actions': ['pull'],
       }]
-      auth_jwt = generate_jwt_object(audience, subject, context, access, TOKEN_VALIDITY_LIFETIME_S,
-                                     self._config)
-      auth_header = 'Bearer {}'.format(auth_jwt)
+
+      auth_token = generate_bearer_token(audience, subject, context, access,
+                                         TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
+      auth_header = 'Bearer ' + auth_token
 
       with self._app.test_request_context('/'):
         relative_layer_url = url_for('v2.download_blob', repository=repository_and_namespace,