New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
blob/gcsblob: set defaults for SignURL #2800
blob/gcsblob: set defaults for SignURL #2800
Conversation
I'd love to get some guidance on how to properly test this, or someone from the team to implement them given the elaborate infrastructure this uses. |
Codecov Report
@@ Coverage Diff @@
## master #2800 +/- ##
==========================================
+ Coverage 68.24% 68.37% +0.12%
==========================================
Files 115 116 +1
Lines 13348 13406 +58
==========================================
+ Hits 9110 9167 +57
- Misses 3582 3583 +1
Partials 656 656
Continue to review full report at Codecov.
|
I've dropped detection of the service account on GCE (as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
Not sure what's outstanding – if there's something, please do kindly remind me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your patience with this, we're getting close.
This lifts gcsblob to function parity with other blob implementations and enables users to skip setting those values in environments such as AppEngine, where the file is in a well-known location, and generally whenever a GOOGLE_APPLICATION_CREDENTIALS is set.
Thanks for your patience negotiating this. Tests are in, and I believe we've arrived at an expanded functionality that opens up this to use-cases with improved security. |
The IAM Service Account Credentials API can be used without a private key, and to impersonate other accounts.
Thanks again for your patience and for the contribution! |
This enables to use blob.SignURL out-of-the-box by setting the required values, primarily the GoogleAccessID and a PrivateKey—where available—, and a default signing behaviour.
By moving the IAM Credentials API client into the bucket, it's henceforth possible to use it in
bucket.Options.SignBytes()
without any external wrapper.Previously users ran into
SignURL
working properly with the likes of S3 without doing anything special, and GCS has been the outlier that needed additional work degrading productivity and developer experience.closes #2653