Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pascal/signed url continued #412

Merged
merged 6 commits into from
Dec 19, 2023
Merged

Pascal/signed url continued #412

merged 6 commits into from
Dec 19, 2023

Conversation

Pascal-Delange
Copy link
Contributor

@Pascal-Delange Pascal-Delange commented Dec 19, 2023
edited
Loading

Service account permissions to be checked and adjusted manually and terraformed in another PR

Prereq for checkmarble/marble-frontend#319

@Pascal-Delange Pascal-Delange force-pushed the pascal/signed-url-continued branch from 2c176ff to 9a5cadf Compare December 19, 2023 10:02
@Pascal-Delange Pascal-Delange marked this pull request as ready for review December 19, 2023 10:28
@Pascal-Delange Pascal-Delange requested a review from a team December 19, 2023 10:28
Pascal-Delange
Pascal-Delange commented Dec 19, 2023
View reviewed changes
repositories/gcs_repository.go
@@ -168,3 +172,17 @@ func (repository *GcsRepositoryImpl) DeleteFile(ctx context.Context, bucketName,

return nil
}

func (repo *GcsRepositoryImpl) GenerateSignedUrl(ctx context.Context, bucketName, fileName string) (string, error) {
Copy link
Contributor Author

@Pascal-Delange Pascal-Delange Dec 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this alternative which seemed to work better when running locally :

func (repo *GcsRepositoryImpl) GenerateSignedUrl(ctx context.Context, bucketName, fileName string) (string, error) {
	serviceAccount := "[email protected]"
	c, err := credentials.NewIamCredentialsClient(ctx)
	if err != nil {
		panic(err)
	}

	// This code will typically not run locally if if you target the real GCS repository, because SignedURL only works with service account credentials (not end user credentials)
	// Hence, run the code locally with the fake GCS repository always
	bucket := repo.getGCSClient(ctx).Bucket(bucketName)
	return bucket.
		SignedURL(
			fileName,
			&storage.SignedURLOptions{
				Method: http.MethodGet,
				GoogleAccessID: serviceAccount,
				SignBytes: func(b []byte) ([]byte, error) {
					req := &credentialspb.SignBlobRequest{
						Payload: b,
						Name:    serviceAccount,
					}
			 	resp, err := c.SignBlob(ctx, req)
					if err != nil {
						panic(err)
					}
					return resp.SignedBlob, err
				},
				Expires: time.Now().Add(signedUrlExpiryHours * time.Hour),
			},
		)
}

But only when using application-default credentials that impersonate a service account - so not practical

@Pascal-Delange Pascal-Delange force-pushed the pascal/signed-url-continued branch from af56132 to 94f2932 Compare December 19, 2023 10:51
balzdur
balzdur approved these changes Dec 19, 2023
View reviewed changes
@Pascal-Delange @balzdur
Update repositories/gcs_repository.go
6c52832 
Co-authored-by: Thomas Lathuiliere <[email protected]>
@Pascal-Delange Pascal-Delange mentioned this pull request Dec 19, 2023
Merged
@Pascal-Delange Pascal-Delange merged commit 8280279 into master Dec 19, 2023
2 checks passed
@Pascal-Delange Pascal-Delange deleted the pascal/signed-url-continued branch December 19, 2023 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@balzdur balzdur balzdur approved these changes

@github-zoe-cade github-zoe-cade github-zoe-cade approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Pascal-Delange @github-zoe-cade @balzdur