restrict SCOPE and fix yq command

deploy/deploy.sh

@@ -31,9 +31,11 @@ site_config_dir: "$(readlink -f ../sites)"
 EOF
 
 # get access token for motley-cue
-CLIENT_ID=$(yq -r '.fedcloudops.client_id' secrets.yaml)
-CLIENT_SECRET=$(yq -r '.fedcloudops.client_secret' secrets.yaml)
-SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement"
+CLIENT_ID=$(yq -r '.checkin.client_id' < secrets.yaml)
+CLIENT_SECRET=$(yq -r '.checkin.client_id' < secrets.yaml)
+SCOPE="openid%20email%20profile%20voperson_id"
+SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
+SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu"
 ACCESS_TOKEN=$(curl --request POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
 	--data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&scope=$SCOPE" |
 	jq -r ".access_token")