Unable to sign GCS URL using gcloud default login

php Editor Zimo may encounter a problem when using gcloud, that is, he cannot use the default login name to sign the GCS URL. This problem may cause some confusion, but we can find a solution. In this article, we will introduce how to solve this problem so that you can successfully use gcloud to sign GCS URLs. Whether you are a beginner or an experienced developer, this article will provide you with clear and concise solutions. Let’s take a look!

Question content

I am developing a golang backend and using the cloud.google.com/go/storage library to communicate with our gcs instance. Currently I'm using this library to sign urls and upload media to our instance. However, I want to avoid downloading the service account key file and explicitly setting the google_application_credentials environment variable for local development purposes. To achieve this, I provided the user credentials for adc as per the reference documentation.

Uploading media works fine with the new adc configuration. However, when trying to sign the url using the following code snippet:

u, err := client.bucket(bucket).signedurl(object, &storage.signedurloptions{
        method:  http.methodget,
        expires: time.now().add(365 * 24 * time.hour),
    })

I received an error message:

storage: unable to detect default GoogleAccessID: storage: empty client email in credentials

This error message is confusing because I authenticated using gcloud auth application-default login before executing the code. What could be the problem here and how can I fix it?

edit: I tried adding the --impersonate-service-account flag to point to the service account that has token creation permissions, but that doesn't seem to work either.

Workaround

Apparently this issue is resolved in the latest version of cloud.google.com/go/storage (I read about it in the GitHub discussion content, but for some reason the link can no longer be found). You must append the service account to the signed URL, and the library is now able to obtain the GoogleAccessID associated with the impersonation. After upgrading to v1.29.0 and authenticating using gcloud auth application-default login --impersonate-service-account=a172055c20f3b3671523e8c61e57bc2a everything seems to be working fine. Make sure your user account has the "Service Account Token Creator" role assigned under the service account.

The above is the detailed content of Unable to sign GCS URL using gcloud default login. For more information, please follow other related articles on the PHP Chinese website!