ServiceAccountCredentials cannot generate_signed_url in gcloud

[paulharter]

Hi,

gcloud/credentials/generate_signed_url still expects to find the private key in _private_key_pkcs8_pem but it has been wrapped by the signer now. I can set it myself as has been done in the classmethod constructors, but this seems the wrong place to be doing this. The default __init__ should be setting this not classmethods as others, like me, may not be using them.

Should the key really be in both_private_key_pkcs8_pem and signer? This looks fragile, and indeed has broken for me.

Thanks

[dhermes]

It seems this should be a bug in GoogleCloudPlatform/gcloud-python no? I've got a pending PR to make our usage of the private keys less brittle:
googleapis/google-cloud-python#1518

It's just gated on a release of oauth2client with #421 in it.

@nathanielmanistaatgoogle shall we cut a release of oauth2client?

[dhermes]

@paulharter Are you creating credentials manually and then passing them along? Are you using ServiceAccountCredentials.__init__ directly? If yes, how are you constructing the signer?

[nathanielmanistaatgoogle]

@dhermes I want you to feel entitled and enabled to cut an oauth2client release any time you please.

If we're ever in a situation in which it's not safe to do so, or there are technical encumbrances to fix before we can do so, that's a process problem to be fixed.

So yeah: if you want to release, release.

[dhermes]

Sounds good. Thanks.

[paulharter]

@dhermes yes I'm making the credentials something like this:

    private_key_pkcs8_pem = GOOGLE_PRIVATE_KEY
    signer = crypt.Signer.from_string(private_key_pkcs8_pem)

    credentials = service_account.ServiceAccountCredentials(
        GOOGLE_ACCOUNT_EMAIL,
        signer,
        scopes=[],
        private_key_id=GOOGLE_PRIVATE_KEY_ID,
        client_id=GOOGLE_SHORT_CLIENT_ID
    )
    # adding the key in for a second time
    credentials._private_key_pkcs8_pem = private_key_pkcs8_pem

cache them for a little while and use them to sign urls

    url = generate_signed_url(credentials,
                        resource,
                        expiration,
                        api_access_endpoint=GCLOUD_STORAGE_API_ACCESS_ENDPOINT,
                        method='GET')

You're right the main issue is probably in gcloud, but more an issue of coordination rather than bug fixing. If it was me I'd turn _private_key_pkcs8_pem into a property that read from the signer so as not to break gcloud til they catch up.

[dhermes]

Good to know. Thanks. I cut the 2.0.1 release today and merged googleapis/google-cloud-python#1518 so the only hangup now is a release of gcloud-python

[dhermes]

OK that release came out too. All good!

[paulharter]

@dhermes Brilliant - thank you for sorting this out so quickly!

[dhermes]

Sure thing. Getting the crypto out of gcloud-python and into oauth2client had been bothering me for months