GS_CREDENTIALS and AppEngine

[nahuelange]

Hello,

I'm facing a problem using django-storages with an App Engine application. In a normal AppEngine application, no credentials should be provided, as default service account is provided by environment, so Google libraries should load those default credentials.

But, in the case of writing private files, the Google library raises an error:

you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.

I found someone that found a workaround. It seems to work until the requested token when making the container up is expired, and then django-storages tries to do a refresh of credentials and a new error is raised about scope or audience missing. It seems to be normal since an empty audience is provided by the workaround:

import google.auth
from google.auth import compute_engine

auth_request = google.auth.transport.requests.Request()
signing_credentials = compute_engine.IDTokenCredentials(auth_request, "") # this uses the default credentials by default, no need to pass service_account_email
signing_credentials.signer.sign(string_to_sign)

I couldn't found any clear explanation what is going on, what is the right way to do without creating a credential file, since we already have default service account credentials loaded in any AppEngine instance. What the good way to do with django-storages ? After understanding this, I could make a documentation PR to guide new users.

[KrustyHack]

Ay,

One year later but anyway : https://github.com/jschneier/django-storages/issues/909

But it's a workaround using public_read and fine grained acl. So maybe it will not match your requirements. :/