-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate signed URLs when using workload identity in Java #10464
Comments
Feature request to java-storage. |
The code in google-cloud-storage to sign urls depends upon the value provided in In this case it sounds like the type of credentials provided doesn't know how to sign. I think this is actually an issue that would need to be addressed in google-auth-library, rather than the storage library code itself. @TimurSadykov Do you know if there is anything already on the roadmap to implement the sign method for credentials that work with workload identity? |
ack, I'll chat with the team that owns WIF |
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
[Storage] We are opening this Feature Request as we want to be able to easily generate signed URLs when using workload identity. We understand that this is a known missing feature and it is being worked on through other GitHub feature requests for .net [1] and ruby [2], but we want this functionality to also be available for java.
Describe the solution you'd like
We found a recent Google Cloud Collective response in a Stack Overflow issue [3] explaining the following: “External account credentials (Workload ID) are not supported as URL signers and you need to use the IAM service to sign the blob yourself. External account credentials are not currently supported for URL signing because it's not always possible to know client side which service account the credential maps back to, and that's a requirement (we would be calling the IAM service internally for this).”
We know this is already being worked on and there are some workarounds for .net [1] and ruby [2], therefore, we want to have a resolution/workaround on the Java side as well.
Describe alternatives you've considered
Tried using this example [4] by adapting it to Java, but started receiving the following exception:
This is the code being used:
Additional context
[1] googleapis/google-api-dotnet-client#2410
[2] googleapis/google-cloud-ruby#13307
[3] https://stackoverflow.com/a/76266912
[4] https://gist.github.com/jezhumble/91051485db4462add82045ef9ac2a0ec
The text was updated successfully, but these errors were encountered: