Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generate_signed_post_policy_v4() should not call ensure_signed_credentials() when service_account_email and access_token are specified #1351

Closed
jasonkit opened this issue Sep 26, 2024 · 0 comments · Fixed by #1356
Closed

generate_signed_post_policy_v4() should not call ensure_signed_credentials() when service_account_email and access_token are specified #1351

jasonkit opened this issue Sep 26, 2024 · 0 comments · Fixed by #1356
Assignees
@cojenco
Labels
api: storage Issues related to the googleapis/python-storage API.

Comments

@jasonkit
Copy link

jasonkit commented Sep 26, 2024
edited
Loading

I am calling generate_signed_post_policy_v4() on pod running on GKE using Application default credentials to avoid using service account key.

In latest code, even though generate_signed_post_policy_v4() support passing in service_account_email and access_token and use them to generate signature, it still unconditional call ensure_signed_credentials()

python-storage/google/cloud/storage/client.py

Lines 1726 to 1727 in 02a972d

credentials = self._credentials if credentials is None else credentials
ensure_signed_credentials(credentials)

If we are Application default credentials and getting the credential from GKE metadata server, it will not pass the ensure_signed_credentials() checking and returning
AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.

generate_signed_post_policy_v4() should have similar handling as in generate_signed_url_v4()

python-storage/google/cloud/storage/_signing.py

Lines 541 to 547 in e3cfc47

# If you are on Google Compute Engine, you can't generate a signed URL.
# See https://github.com/googleapis/google-cloud-python/issues/922
client_email = service_account_email
if not access_token or not service_account_email:
ensure_signed_credentials(credentials)
client_email = credentials.signer_email

My current workaround is to implement class an pass it to generate_signed_post_policy_v4() as credentials to by-pass the checking of ensure_signed_credentials()

from google.auth.credentials import Signing

class _SigningCredential(Signing):
    def __init__(self, service_account_email: str):
        self._signer_email = service_account_email

    @property
    def signer_email(self):
        return self._signer_email

    @property
    def signer(self):
        raise NotImplementedError('Not in use')

    def sign_bytes(self, message):
        raise NotImplementedError('Not in use')

Environment details

  • google-cloud-storage version: 2.17.0
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/python-storage API. label Sep 26, 2024
@cojenco cojenco added the status: investigating The issue is under investigation, which is determined to be non-trivial. label Sep 30, 2024
@cojenco cojenco mentioned this issue Oct 1, 2024
Merged
@cojenco cojenco removed the status: investigating The issue is under investigation, which is determined to be non-trivial. label Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cojenco cojenco

Labels
api: storage Issues related to the googleapis/python-storage API.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: allow signed post policy v4 with service account and token cojenco/python-storage
2 participants
@jasonkit @cojenco