Support signed URLs with Google Cloud Application Default Credentials (ADC)

tazjin / nixery

Container registry which transparently builds images using the Nix package manager. Canonical repository is https://cs.tvl.fyi/depot/-/tree/tools/nixery

https://nixery.dev/

Apache License 2.0

1.8k stars 67 forks source link

Support signed URLs with Google Cloud Application Default Credentials (ADC) #120

Open flokli opened 3 years ago

flokli commented 3 years ago

When running nixery on a GCP instance with the default service account / in a cloud run function / GKE, nixery should still be able to emit signed URLs to GCS buckets. It currently has code only doing this if GOOGLE_APPLICATION_CREDENTIALS is set explicitly.

tazjin commented 3 years ago

It should not do this without the feature being explicitly enabled, as the signBlob API unfortunately requires service account impersonation credentials. Useful to have though!