Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support signurl using compute engine service account

See original GitHub issue

Hi! I noticed in #968 there was functionality added to create signed URLs without a local private key. That’s awesome! I’m trying to use this and I could use a little help.

I’m running on a compute instance and I’m able to do things like list the contents of my bucket without setting up any special configuration using the default service account, but trying to create a signed URL results in this message:

$ gsutil signurl -d 10m -u gs://[snip]/[snip].zip
URL     HTTP Method     Expiration      Signed URL
CommandException: Cannot get service account email id for the given credential type.

I’m guessing I need to set up a boto config, though I haven’t had to do that for other actions. Is there anything you could suggest?

I’m using gsutil 4.49.

Thank you!

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:10
  • Comments:14 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
dilippedcommented, Apr 9, 2020

Edited the title to better describe the exact feature that is needed here.

On digging a little more into this problem, it looks like the fix is not as simple as I thought earlier. GceAssertionCredentials (which is what gets used if using the default setup from a GCE instance) does not provide service_account_email directly which is required for signing the url.

We might have to figure out other ways to access the service account email which would need further exploring the API. A quick look here shows that currently there is no good way to extract that information.

1reaction
dilippedcommented, Apr 7, 2020

You can run gsutil version -l to check the boto config path.

Read more comments on GitHub >

github_iconTop Results From Across the Web

signurl - Create a signed URL | Cloud Storage
The signurl command uses the private key for a service account (the '<private-key-file>' argument) to generate the cryptographic signature for the generated ...
Read more >
How can I create a signed URL for Google Cloud Storage with ...
I can create a new, separate service account from the developer console, and that has the option of downloading a .p12 file for...
Read more >
How to create Signed Url – Temporary Access in ... - YouTube
Create new service account and create new bucket for demo: ... How to create Signed Url – Temporary Access in Bucket Google Cloud...
Read more >
Google Cloud Storage Service Account Key Management for ...
It looks like the best practice here is to use the client.Bucket(bucket).SignedURL(object, opts) API. func storageSignUrl(object string) ...
Read more >
signurl - Create a signed url - Google Cloud Storage - huihoo
Note: Unlike the gsutil ls command, the signurl command does not support operations ... The signurl command uses the private key for a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

gsutil ignores XDG basedir spec

Next page

TypeError: cannot pickle '_io.TextIOWrapper' object