Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

google-cloud-storage: Cannot create signed url with ImpersonatedCredentials #5043

Closed
salrashid123 opened this issue May 1, 2019 · 0 comments · Fixed by googleapis/google-auth-library-java#279
Closed

google-cloud-storage: Cannot create signed url with ImpersonatedCredentials #5043

salrashid123 opened this issue May 1, 2019 · 0 comments · Fixed by googleapis/google-auth-library-java#279
Assignees
@JesseLovelace
Labels
api: storage Issues related to the Cloud Storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@salrashid123
Copy link

a Storage client using ImpersonatedCredentials does not support creation of SignedURL.

In the sample below thatuses impersonated credentials,

ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
			     .fromStream(new FileInputStream("/path/to/svc.json"));
sourceCredentials = (ServiceAccountCredentials) sourceCredentials
		 .createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
	
 ImpersonatedCredentials targetCredentials = 
                       ImpersonatedCredentials.create(sourceCredentials,
			     "impersonated-account@projectB.iam.gserviceaccount.com", null,
			     Arrays.asList("https://www.googleapis.com/auth/devstorage.read_only"), 300);

Storage storage_service = StorageOptions.newBuilder()
    .setCredentials(targetCredentials)
    .build().getService();

String BUCKET_NAME1= "fabled-ray-104117";
String BLOB_NAME1 = "signed_url_file.txt";

BlobInfo BLOB_INFO1 = BlobInfo.newBuilder(BUCKET_NAME1, BLOB_NAME1).build();

URL url =
	storage_service.signUrl(
            BLOB_INFO1,
            14,
            TimeUnit.MINUTES,
	    Storage.SignUrlOption.httpMethod(HttpMethod.GET), 
	    Storage.SignUrlOption.withV4Signature());
System.out.println(url);

the error is "Signing key was not provided and could not be derived"

one solution is to just implement ServiceAccountSigner in ImpersonatedCredentials

public class ImpersonatedCredentials extends GoogleCredentials implements ServiceAccountSigner

Here is a working sample that successfully impersonates and produces a signed url:

https://gist.github.com/salrashid123/394f1dfee4d7b16049acc6cca772dd43
(see line 145)
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label May 2, 2019
@kolea2 kolea2 added api: storage Issues related to the Cloud Storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. and removed triage me I really want to be triaged. labels May 2, 2019
This was referenced May 2, 2019
Closed
Open
@salrashid123 salrashid123 mentioned this issue Jun 24, 2019
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@JesseLovelace JesseLovelace

Labels
api: storage Issues related to the Cloud Storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Signer for impersonatied credentials salrashid123/google-auth-library-java
4 participants
@salrashid123 @JesseLovelace @yoshi-automation @kolea2