-
Notifications
You must be signed in to change notification settings - Fork 431
ServiceAccountCredentials cannot generate_signed_url in gcloud #448
Comments
It seems this should be a bug in GoogleCloudPlatform/gcloud-python no? I've got a pending PR to make our usage of the private keys less brittle: It's just gated on a release of @nathanielmanistaatgoogle shall we cut a release of |
@paulharter Are you creating |
@dhermes I want you to feel entitled and enabled to cut an If we're ever in a situation in which it's not safe to do so, or there are technical encumbrances to fix before we can do so, that's a process problem to be fixed. So yeah: if you want to release, release. |
Sounds good. Thanks. |
@dhermes yes I'm making the credentials something like this: private_key_pkcs8_pem = GOOGLE_PRIVATE_KEY
signer = crypt.Signer.from_string(private_key_pkcs8_pem)
credentials = service_account.ServiceAccountCredentials(
GOOGLE_ACCOUNT_EMAIL,
signer,
scopes=[],
private_key_id=GOOGLE_PRIVATE_KEY_ID,
client_id=GOOGLE_SHORT_CLIENT_ID
)
# adding the key in for a second time
credentials._private_key_pkcs8_pem = private_key_pkcs8_pem cache them for a little while and use them to sign urls url = generate_signed_url(credentials,
resource,
expiration,
api_access_endpoint=GCLOUD_STORAGE_API_ACCESS_ENDPOINT,
method='GET') You're right the main issue is probably in gcloud, but more an issue of coordination rather than bug fixing. If it was me I'd turn |
Good to know. Thanks. I cut the |
OK that release came out too. All good! |
@dhermes Brilliant - thank you for sorting this out so quickly! |
Sure thing. Getting the crypto out of |
Hi,
gcloud/credentials/generate_signed_url still expects to find the private key in
_private_key_pkcs8_pem
but it has been wrapped by the signer now. I can set it myself as has been done in the classmethod constructors, but this seems the wrong place to be doing this. The default__init__
should be setting this not classmethods as others, like me, may not be using them.Should the key really be in both
_private_key_pkcs8_pem
andsigner
? This looks fragile, and indeed has broken for me.Thanks
The text was updated successfully, but these errors were encountered: