-
-
Notifications
You must be signed in to change notification settings - Fork 866
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
signed urls do not work in Cloud Run with django-storages #941
Comments
Just run on the very same issue with Google App Engine (standard). Took me a while as well to understand the error. Uploading a file works just fine so I thought it should not be a credential issue, but retrieving the file causes the error (at url signing invocation). @sww314 did you find a nice work around / hack for this issue? Could I store the credentials in a file in Cloud Storage and add an environment variable to the |
@Prikers |
➕ 1️⃣ - I think we are experiencing the same issue. |
Our workaround is as follows:
You should obviously then use this class as a replacement for the GoogleCloudStorage base class (we set up storages explicitly on a case-by-case basis, so this is fairly straightforard for us). |
Thanks @danfairs for sharing! 👍
Also caching (pickling) Google's credentials object was failing, so I had to remove that also. |
I know the OP wanted to use signed URLs, just a note we hit this issue accidentally because we were missing
|
|
I also had to update service account permission in GCP Console https://console.cloud.google.com
or there will be error
|
This is a workaround, to be able to sign blob URLs without a credential file/private key. References: jschneier/django-storages#941 https://googleapis.dev/python/storage/latest/blobs.html#google.cloud.storage.blob.Blob.generate_signed_url
After a long day of troubleshooting, here is how I got around it.
then added service account json file to "Google Secret Manager", mounted it to Google Run as shown below, and now it's working like charm. |
Needs to be updated to support Workload Identity on k8s |
Any news on this? |
Using Cloud Run the default credentials do not allow signing of urls.
The error is swallowed in most use cases and the file filed just returns a None in serializers or in django admin.
The error is confusing because everything works fine on the upload side.
Even worse, if you use the same service account and run your container locally - it works fine. Since the credential is provided in the different manner.
To recreate:
I am still trying to figure out the best work around, but I wanted to add this in case anyone else runs into the error.
This maybe a documentation update or a change to not swallow the error.
The text was updated successfully, but these errors were encountered: