search

ahmetb / cloud-run-faq

Unofficial FAQ and everything you've been wondering about Google Cloud Run.
https://cloud.run
Creative Commons Attribution 4.0 International
2.32k stars 124 forks source link

How to sign GCS Blob in Cloud Run? #96

Closed sww314 closed 3 years ago

sww314 commented 3 years ago

Running a python image using the standard Service Account, I get an error trying to sign GCS blobs. Is there a work around? The same service account works fine with the JSON file is mounted (when I run the container locally). 


Exception Type: | AttributeError
-- | --
you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.
/usr/local/lib/python3.8/site-packages/google/cloud/storage/_signing.py, line 51, in ensure_signed_credentials
ahmetb commented 3 years ago

Please ask this on Stack Overflow. I believe this is either an issue with how you pass creds to the container –or something wrong with Python client libraries. Cloud Run provides a token in the container runtime just fine, and the rest is handled by client libraries. Maybe consider opening an issue in the relevant code repo. https://cloud.google.com/python/docs/reference

sww314 commented 3 years ago

Here is the stackoverflow question in case anyone stumbles on this.

There is no documentation - that I can find on how to do this in Cloud Run. The same work arounds listed in https://github.com/googleapis/google-auth-library-python/issues/50 fails in Cloud Run, but works on a Compute Instance.

I think because you can set the allowed scopes on VM instance.

https://stackoverflow.com/questions/64234214/how-to-generate-a-blob-signed-url-in-google-cloud-run