Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Storage.signUrl() fails with default credentials in java8 standard runtime

See original GitHub issue

Invocation:

// initialization
storage = StorageOptions.getDefaultInstance().getService();

// later
storage.signUrl(info, 5L, TimeUnit.MINUTES,
                Storage.SignUrlOption.httpMethod(HttpMethod.valueOf(method)),
                Storage.SignUrlOption.withContentType()
        );

Stacktrace:

Caused by: java.lang.IllegalStateException: Signing key was not provided and could not be derived
	at com.google.common.base.Preconditions.checkState(Preconditions.java:444)
	at com.google.cloud.storage.StorageImpl.signUrl(StorageImpl.java:508)

I tracked the problem down to the com.google.auth.oauth2.GoogleCredentials.getDefaultCredentialsUnsynchronized()(https://github.com/google/google-auth-library-java/blob/51a5445b33d10f252cadfdcca82dd9e68512e483/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L182) where it skips over tryGetAppEngineCredential() to return an instance of com.google.auth.oauth2.AppengineCredentials which is one of the implementations of ServiceAccountSigner required by the signUrl call with default credentials.

This may also affect other services assuming an instance of com.google.auth.oauth2.AppengineCredentials.

Is there any specific reason why to check for java7 only?

Background: We moved to the java8 runtime on GAE and upgraded our api clients to the google-cloud-java api clients version 1.10.0.

Issue Analytics

State:
Created 6 years ago
Reactions:2
Comments:24 (7 by maintainers)

Top GitHub Comments

3reactions

NicolaSpreaficocommented, Aug 9, 2018

I had the same problem (using 1.35.0): Caused by: java.lang.IllegalStateException: Signing key was not provided and could not be derived

Using AppEngine standard, I solved like this:

        static final AppIdentityService identityService = AppIdentityServiceFactory.getAppIdentityService();

        SignUrlOption signWith = SignUrlOption.signWith(new ServiceAccountSigner() {
            @Override
            public byte[] sign(byte[] toSign) {
                return identityService.signForApp(toSign).getSignature();
            }

            @Override
            public String getAccount() {
                return identityService.getServiceAccountName();
            }
        });

1reaction

khoekcommented, Nov 1, 2020

I needed to grant iam.serviceAccounts.signBlob in order for the default service account to sign URLs while running in App Engine, but running locally with the same credentials didn’t require this—is this a bug?

Top Results From Across the Web

java - Providing Credentials to Google Cloud Storage API

When I run that code, I get a 401 Unauthorized error when I call storage.create() , and that's not surprising because I'm not...

V4 signing process with Cloud Storage tools

Use the gsutil signurl command, passing in the path to the private key from the previous step as well as the bucket and...

Spring Framework on Google Cloud

Configure your app with Spring Cloud Config, backed up by the Google Runtime Configuration API. Consume and produce Google Cloud Storage data via...

Intro to Google Cloud Storage with Java - Baeldung

For this simple example, we a bucket name and accept the default properties. Bucket names must be globally unique. If we choose a...

Google Storage - Apache Camel

For example a component may have security settings, credentials for authentication, urls for network connection and so forth. Some components only have a...