在CloudRun中创建V4签名的URL [英] Creating V4 Signed URLs in CloudRun

问题描述

我想从使用CloudRun部署的应用程序创建指向Google Cloud Storage资源的签名URL.

I'd like to create Signed URLs to Google Cloud Storage resources from an app deployed using CloudRun.

我使用我的目的是使用V4签名从CloudRun创建签名URL.为此用途有指南-文件service_account.json用于生成JWT配置的情况.当我从Google的IAM下载文件时，这对我在localhost上有效.我想避免将此文件提交到存储库中，请使用我在CloudRun UI中提供的文件.

My intent was to use V4 Signing to create Signed URLs from CloudRun. There is a guide for this use-case where a file service_account.json is used to generate JWT config. This works for me on localhost when I download the file from google's IAM. I'd like to avoid having this file committed in the repository use the one that I provided in CloudRun UI.

我希望CloudRun将此服务帐户文件注入到应用容器中，并使其在GOOGLE_APPLICATION_CREDENTIALS变量中可访问，但事实并非如此.

I was hoping that CloudRun injects this service account file to the app container and makes it accessible in GOOGLE_APPLICATION_CREDENTIALS variable but that's not the case.

您对此有何建议?谢谢.

Do you have a recommendation on how to do this? Thank you.

推荐答案

正如您所说，Golang存储客户端库需要一个服务帐户json文件来对URL进行签名.

As you say, Golang Storage Client Libraries require a service account json file to sign urls.

当前在GitHub中有一个功能请求已打开这个，但您应该可以通过我发现的这个示例来解决

There is currently a feature request open in GitHub for this but you should be able to work this around with this sample that I found here:

import (
"context"
  "fmt"
  "time"
  "cloud.google.com/go/storage"
  "cloud.google.com/go/iam/credentials/apiv1"
  credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
)

const (
  bucketName = "bucket-name"
  objectName = "object"
  serviceAccount = "[PROJECTNUMBER]-compute@developer.gserviceaccount.com"
)

func main() {
  ctx := context.Background()

  c, err := credentials.NewIamCredentialsClient(ctx)
  if err != nil {
     panic(err)
  }

  opts := &storage.SignedURLOptions{
     Method: "GET",
     GoogleAccessID: serviceAccount,
     SignBytes: func(b []byte) ([]byte, error) {
        req := &credentialspb.SignBlobRequest{
            Payload: b,
            Name: serviceAccount,
        }
        resp, err := c.SignBlob(ctx, req)
        if err != nil {
           panic(err)
        }
        return resp.SignedBlob, err
     },
     Expires: time.Now().Add(15*time.Minute),
  }

  u, err := storage.SignedURL(bucketName, objectName, opts)
  if err != nil {
     panic(err)
  }

  fmt.Printf("\"%v\"", u)
}

这篇关于在CloudRun中创建V4签名的URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！