Signing blobs in different scenarios

[cortadocodes]

We need to be able to sign blobs in the following scenarios.

Location	Authentication context	What for	Solution
Google Cloud Run	Default credentials' access token	Providing signed URLs for output datasets in production	Refresh credentials to get access token and use google.auth.compute_engine.credentials.IDTokenCredentials
GitHub Actions	Workload identity federation	Our CI tests	Mock Blob.generate_signed_url
Locally	Service account key	Local testing; providing signed URLs to output datasets when running services locally	Use Blob.generate_signed_url as normal

The following resources helped us get to this set of solutions:

• https://stackoverflow.com/questions/64234214/how-to-generate-a-blob-signed-url-in-google-cloud-run
• https://github.com/googleapis/google-auth-library-python/issues/50
• https://gist.github.com/jezhumble/91051485db4462add82045ef9ac2a0ec
• https://github.com/googleapis/google-auth-library-python/issues/238

[thclark]

Possibly of relevance: https://github.com/octue/django-gcp/issues/10