GCloud SignatureDoesNotMatch

Question

I am attempting to get a signed url from Google cloud where we can upload a document.

func GetSignedURL(bucketName string, objectName string) string {
    ctx := context.Background()
    // Get a connection to gcloud
    client, err := storage.NewClient(ctx, option.WithCredentialsFile(config.GetSettings().GoogleCloudKey))
    if err != nil {
        msg := err.Error() + " @ " + whereami.WhereAmI() + " on " + helpers.GetTimeInTimezone()
        panic(msg)
    }
    defer client.Close()

    opts := &storage.SignedURLOptions{
        Scheme:     storage.SigningSchemeV4,
        Method:     "PUT",
        PrivateKey: []byte(getPrivateKey()), //<- a Google service account private key, obtainable from the Google Developers Console
        Expires:    time.Now().Add(15 * time.Minute),
        Insecure:   false,
    }
    //Use connection to get url
    url, err := client.Bucket(bucketName).SignedURL(objectName, opts)
    if err != nil {
        msg := err.Error() + " @ " + whereami.WhereAmI() + " on " + helpers.GetTimeInTimezone()
        panic(msg)
    }

    return url
}

Per https://cloud.google.com/storage/docs/access-control/signing-urls-with-helpers#storage-signed-url-object-go I do sign the request with my Private key, I get a url similar to this:

https://storage.googleapis.com/yyy-vv-upload-xxx/aa41dcaed3a24f65b8d5a9ac94b4c0a6?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=xxx-assets-gcs-yyy-devops%40yyy-devops.iam.gserviceaccount.com%2F20226667%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20221227T183246Z&X-Goog-Expires=899&X-Goog-Signature=260b2e695999ccdea5d5d5e46f0f83d204609dbfc0efcdf1fa8381b9ec748eacad36b525e695c6fc2fb02277a56e3c10674a75de2ba83c668c2052a89192345ddbdd0fe841ea28dc7df01648f2ca420b43d6fa162540e1c34865847d34c832ded157f2ec58bd8d57c47eef32d632ff02dc1927dc94f7509795e78c357dc556e2c96ea8e86dfb5015c796627f327caf04f45560bad4d5cdb714c5bc97d442cbc87639f44b2a102ce9d9a3fc83e81bcaf9fde38ce56efd02decd3fe8a1cf5fc823e46c85b39d7ada41618993e80b5c2e61a0380d403d0d6763310350ab1cf22d539c80fdaafc2320cbdeb3f1e7c21b4c40e3dc8889b348f67573852d5e7986167e&X-Goog-SignedHeaders=host

When I load it in a browser I get the following:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message>
<StringToSign>GOOG4-RSA-SHA256 20221227T183246Z 20221227/auto/storage/goog4_request 78f5677e7572233dc56657f7b055601eee26e7913bb6426194c888367c521990</StringToSign>
<CanonicalRequest>GET /yyy-vv-upload-xxx/aa41dcaed3a24f65b8d5a9ac94b4c0a6 X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=xxx-assets-gcs-yyy-devops%40yyy-devops.iam.gserviceaccount.com%2F20221227%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20221227T183246Z&X-Goog-Expires=899&X-Goog-SignedHeaders=host host:storage.googleapis.com host UNSIGNED-PAYLOAD</CanonicalRequest>
</Error>

Any advice?

Answer 1

The error is completely misleading, it should have complained about the http method. Once I put the generated url in Postman and made a PUT request it worked. I could upload an image of a goldfish. The error above is generated for a GET request.