Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

UrlSigner using active GoogleCredentials

See original GitHub issue

Hi,

I deploy ServiceA in GAE project A using the default GAE service account. ServiceA accesses buckets in projectB. The service account (and my username) has been given access to the projectB.

Code is straightforward and works fine

 var bucket = client.GetBucket(bucketName);
 foreach (var obj in client.ListObjects(bucketName, "bc593da7")) {...}

I want to generate sign url using the current credentials being used but I am having a difficulties.

GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync();returns the UserCredentials when I test locally, and will, I believe, return the service account credentials when deployed to GAE.

UrlSigner is all about ServiceAccountCredential. So i cannot even do:

GoogleCredential credential = await GoogleCredential.GetApplicationDefaultAsync();
var cred = credential.UnderlyingCredential as ServiceAccountCredential;
UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(cc);

as it gives me UserAccount cannot be casted in ServiceAccount when testing locally

Question: is there a way to sign an url using current credentials without storing/deploying the json key with the app?

Issue Analytics

State:
Created 6 years ago
Comments:12

Top GitHub Comments

1reaction

minherzcommented, Jul 8, 2018

@jskeet, this limitation makes it nearly impossible to use UrlSigner in conjunction with implicit service account that is associated with GCE instance. When running an app on GCE instance and calling to GoogleCredential.GetApplicationDefault() the ComputeCredential is returned. There is no way to get an instance of ServiceAccountCredential from an instance of ComputeCredential. I would expect that since both are based on ServiceCredential type, they both can be used for signing URLs. But the library is very strict on the matter.

0reactions

neil-119commented, Sep 10, 2020

I wanted to share how we worked around this problem. We created a new Service Account and gave it the necessary permissions, and then we uploaded its JSON string to GCP Secret Manager. Since Secret Manager can be accessed with the default credentials, we stream the JSON from Secret Manager to create the credential, like so:

...
if (scopes == null)
                scopes = new string[] { "https://www.googleapis.com/auth/cloud-platform" };

            var json = ...; // grab it from Secret Manager
            using MemoryStream stream = new MemoryStream(System.Text.Encoding.UTF8.GetBytes(json));
            return (ServiceAccountCredential)GoogleCredential
                .FromStream(stream)
                .CreateScoped(scopes)
                .UnderlyingCredential;

...

Top Results From Across the Web

Google Cloud Storage v1 API - Class UrlSigner (4.6.0)

Creates a new UrlSigner instance from the JSON configuration file of a Google credential. See FromCredential(GoogleCredential) for more ...

[Solved]-How to sign url in .net for google cloud storage-C#

Now there is a UrlSigner in the pre-release package Google.Cloud.Storage.V1 that can be used to to provide read-only access to existing objects:

How do we set GoogleCredentials for p12 file

I need to use p12 file for GoogleCredentials instead of json file which ... libraries or the gcloud auth activate-service-account command.

google-beta_storage_object_signed_url | Data Sources

Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they...

Authentication for Databricks automation

Google Cloud credentials authentication uses Google Cloud service account credentials to authenticate the target Google Cloud service account.

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Unable to resolve service for type 'Google.Cloud.Diagnostics.Common.IExceptionLogger' while attempting to activate 'Google.Cloud.Diagnostics.AspNetCore.ErrorReportingExceptionLoggerMiddleware'

UrlSigner using active GoogleCredentials

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Unable to resolve service for type 'Google.Cloud.Diagnostics.Common.IExceptionLogger' while attempting to activate 'Google.Cloud.Diagnostics.AspNetCore.ErrorReportingExceptionLoggerMiddleware'

replacing a custom label leads to no more log entries