Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(storage): find GoogleAccessID when using impersonated creds #6591

Merged
merged 17 commits into from
Sep 14, 2022
Merged

feat(storage): find GoogleAccessID when using impersonated creds #6591

merged 17 commits into from
Sep 14, 2022

Conversation

BrennaEpp
Copy link
Contributor

@BrennaEpp BrennaEpp commented Aug 30, 2022
edited
Loading

bucket.SignedURL and bucket.GenerateSignedPostPolicyV4 now automatically detect the GoogleAccessID when using impersonated credentials, i.e. when authenticated via gcloud auth application-default login --impersonate-service-account ${SERVICE_ACCOUNT}

This prevents users from having to manage a private key or pass in the service account to these methods in their code; see #5979

@BrennaEpp BrennaEpp requested review from a team as code owners August 30, 2022 20:25
@product-auto-label product-auto-label bot added size: l Pull request size is large. api: storage Issues related to the Cloud Storage API. labels Aug 30, 2022
@BrennaEpp BrennaEpp requested a review from tritone August 30, 2022 20:25
@product-auto-label product-auto-label bot added size: m Pull request size is medium. and removed size: l Pull request size is large. labels Aug 30, 2022
tritone
tritone reviewed Aug 31, 2022
View reviewed changes
Copy link
Contributor

@tritone tritone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good, a few comments on docs clarity and factoring. We should also update the docs for SignedURL and PostPolicyV4 options; they still note that "at least one of PrivateKey and SignedBytes must be non-nil" which is not accurate.

@BrennaEpp BrennaEpp requested a review from tritone September 6, 2022 22:11
tritone
tritone reviewed Sep 9, 2022
View reviewed changes
Copy link
Contributor

@tritone tritone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple more docs nits, but overall looks good

@jawher
Copy link

jawher commented Sep 12, 2022

FWIW:

I was impacted by this issue, and as a workaround, I currently have to do the following:

  • parse the Google Service Account JSON to extract the 2 fields client_email and private_key
  • passe these 2 fields to calls to SignedURL
serviceAccount = json.Unmarshal(os.Getenv("GOOGLE_CREDENTIALS"))

res, err := client.Bucket(bucket).SignedURL(path, &gstorage.SignedURLOptions{
	Scheme: gstorage.SigningSchemeV4,
	Method: "PUT",
	GoogleAccessID: serviceAccount.ClientEmail,
	PrivateKey:     []byte(serviceAccount.PrivateKey),
	Expires: time.Now().Add(15 * time.Minute),
})

I just tested using this PR, by adding the following in go.mod:

replace cloud.google.com/go => github.com/BrennaEpp/google-cloud-go sign

And changing my code to:

  • no longer parse the service account json
  • nor pass the client_email and private_key fields to SignURL

And I'm glad to report that this works as before 👍 🥳 🍻

Thank you @BrennaEpp and can't wait for this to get merged and released 🤞

@frankyn frankyn mentioned this pull request Sep 13, 2022
Closed
@BrennaEpp BrennaEpp requested a review from tritone September 14, 2022 21:01
tritone
tritone approved these changes Sep 14, 2022
View reviewed changes
Copy link
Contributor

@tritone tritone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Brenna!

@tritone tritone merged commit a2d16a7 into googleapis:main Sep 14, 2022
@release-please release-please bot mentioned this pull request Sep 14, 2022
Merged
@BrennaEpp BrennaEpp deleted the sign branch September 15, 2022 01:40
gcf-merge-on-green bot pushed a commit that referenced this pull request Sep 22, 2022
@release-please
chore(main): release storage 1.27.0 (#6677)
f471d12 
🤖 I have created a release *beep* *boop*
---


## [1.27.0](storage/v1.26.0...storage/v1.27.0) (2022-09-22)


### Features

* **storage:** Find GoogleAccessID when using impersonated creds ([#6591](#6591)) ([a2d16a7](a2d16a7))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@cmeury cmeury mentioned this pull request Mar 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tritone tritone tritone approved these changes

Assignees
No one assigned
Labels
api: storage Issues related to the Cloud Storage API. size: m Pull request size is medium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BrennaEpp @jawher @tritone