-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gcloud::Storage::File#signed_url does not work when using Google Cloud SDK credentials #181
Comments
Hey @premist, the I am having a hard time reproducing this. Are you available to pair remotely so I can see what you are doing in hopes of creating a reliable reproduction? |
I will try to replicate this on clean Linux machine soon and let you know. If this works properly on clean environment, there should be some misconfiguration on my machine which causes the issue. |
@premist Any luck reproducing this? |
Hi @blowmage, sorry for late reply. Will try this later today and I'll let you know how it goes. |
Thanks! Looking forward to it. :) |
Hey @premist, when you provide the keyfile explicitly, are you giving the absolute path to the file? e.g |
I created a clean Ubuntu (15.04 x64) VM, and did the following:
I tried the code above again and it failed. Seems like |
@premist Thanks! You also said:
I can't get it to fail when explicitly providing a keyfile, but I assume that the path you provided didn't resolve and so it fell back to the cloud SDK credentials. Any chance you can confirm? |
I tried providing JSON keyfile explicitly to
I'm not sure why I was unable to get signed url when I provided keyfile explicitly, but seems like it works as intended. |
It looks like that the code that derives credentials from the cloud SDK doesn't return "service account" credentials, which is missing the private key needed to sign the URLs. Right now we're trying to determine how we can convert "authorized user" credentials to "service account" credentials. |
I found something that might be related to this on gsutil documentation. In order to use I checked gcloud-python and gcloud-node, seems like those libraries don't support authentication by Cloud SDK. Also I couldn't find a code which converts 'authorized user' credentials to 'service account' credentials. |
I'm pretty sure both node and python will pull the creds set by the cloud SDK. CC @stephenplusplus @dhermes to comment. |
Yes, we have a tight integration with https://github.com/google/oauth2client and don't implement much of the signing ourselves, just proxy it out to the auth library. |
Same as @dhermes said, gcloud-node's auth library is https://github.com/google/google-auth-library-nodejs which respects the cloud sdk session. |
Ah, thanks for the correction. Then it should be possible to generate signed url using Cloud SDK credentials. |
@dhermes @stephenplusplus Do your auth libraries give you credentials with the private key when authenticating with the cloud SDK? Or do you have a way to exchange the "authorized user" credentials for "service account" credentials? |
The signed url documentation is clear about requiring service account authentication for signing the url. We need the private key to sign the url. |
No, haven't found a way to do this yet: googleapis/google-cloud-node#211 |
There is no way to sign with "authorized user" credentials, it must be a service account. Our code paths fail on non-service account credentials (as well as on GCE service account credentials). |
@stephenplusplus Ah, thanks for the link. I had missed than in my searches. Makes sense. @dhermes Thank you for the confirmation. @premist I have some ideas. I'll try to get a PR up today. |
Credentials from non-service account JSON files, like GCE, do not have issuer and signing_key available. In those cases the users must pass in the issuer and signing_key values for signed_url to work. [refs googleapis#181]
I tried using Gcloud::Storage::File#signed_url to generate object url with query strings, but I can't get it to work. I used the following code:
It returns the following error:
I tried to investigate this and found out that signing_key on Gcloud::Credentials is not being set properly.
I used gcloud auth credential from my computer initially, and I tried to explicitly provide keyfile for authentication too, but it didn't work.
The text was updated successfully, but these errors were encountered: