[英]Generating Cloud Storage Signed URL from Google Cloud Function without using explicit key file
I'd like to create a pre-signed upload URL to a storage bucket, and would like to avoid an explicit reference to a json key.我想创建一个预签名上传 URL 到存储桶,并希望避免明确引用 json 密钥。
Currently, I'm attempting to do this with the Default App Engine Service Account目前,我正在尝试使用默认 App Engine 服务帐户执行此操作
I'm attempting to follow along with this answer but am getting this error:我正在尝试遵循此答案,但收到此错误:
AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token.
AttributeError:您需要一个私钥来签署凭证。您当前使用的凭证 <class 'google.auth.compute_engine.credentials.Credentials'> 只包含一个令牌。 see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.
有关更多详细信息,请参阅https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account 。
My Cloud Function code looks like this:我的云 Function 代码如下所示:
from google.cloud import storage
import datetime
import google.auth
def generate_upload_url(blob_name, additional_metadata: dict = {}):
credentials, project_id = google.auth.default()
# Perform a refresh request to get the access token of the current credentials (Else, it's None)
from google.auth.transport import requests
r = requests.Request()
credentials.refresh(r)
client = storage.Client()
bucket = client.get_bucket("my_bucket")
blob = bucket.blob(blob_name)
service_account_email = credentials.service_account_email
print(f"attempting to create signed url for {service_account_email}")
url = blob.generate_signed_url(
version="v4",
service_account_email=service_account_email,
access_token=credentials.token,
# This URL is valid for 120 minutes
expiration=datetime.timedelta(minutes=120),
# Allow PUT requests using this URL.
method="PUT",
content_type="application/octet-stream",
)
return url
def get_upload_url(request):
blob_name = get_param(request, "blob_name")
url = generate_upload_url(blob_name)
return url
When you use version v4 of signed URL, the first line of the method calls ensure_signed_credentials
method that check if the current service account can generate a signature in standalone mode (so with a private key).当您使用签名 URL 的 v4 版本时, 该方法的第一行调用
ensure_signed_credentials
方法检查当前服务帐户是否可以在独立模式下生成签名(因此使用私钥)。 And so, that's break the current behavior.因此,这打破了当前的行为。
In the comment of the function, it's clearly describe that a service account JSON file is required在 function 的注释中,清楚地描述了需要服务帐户 JSON 文件
If you are on Google Compute Engine, you can't generate a signed URL.
Follow `Issue 922`_ for updates on this. If you'd like to be able to
generate a signed URL from GCE, you can use a standard service account
from a JSON file rather than a GCE service account.
So, use v2 version instead.因此,请改用 v2 版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.