Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cred): Use in built library instead of forced cred #1340

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions docs/backends/gcloud.rst
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ For development use cases, or other instances outside Google infrastructure:

Alternatively, you can use the setting ``credentials`` or ``GS_CREDENTIALS`` as described below.

It is also now possible to use workload identity by providing the service account via ``GS_SA_SIGNING_EMAIL``.

Settings
~~~~~~~~
Expand Down Expand Up @@ -219,3 +220,12 @@ Settings
It supports `timedelta`, `datetime`, or `integer` seconds since epoch time.

Note: The maximum value for this option is 7 days (604800 seconds) in version `v4` (See this `Github issue <https://github.com/googleapis/python-storage/issues/456#issuecomment-856884993>`_)

``sa_email`` or ``GS_SA_SIGNING_EMAIL``

default: ``''``

This is the signing email if it is not fetched from the credentials. Or if you wish to sign the signed urls with a different service_account.

As above please note that, Default Google Compute Engine (GCE) Service accounts are
`unable to sign urls <https://googlecloudplatform.github.io/google-cloud-python/latest/storage/blobs.html#google.cloud.storage.blob.Blob.generate_signed_url>`_.
dark0dave marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ dropbox = [
"dropbox>=7.2.1; python_version<'3.12'",
]
google = [
"google-cloud-storage>=1.27",
"google-cloud-storage>=2.14",
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link to why we need to bump this requirement?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Buts generally good to bump the library.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’s good to bump your application requirements but as a library I’m trying to maintain as much flexibility for users as possible. If we need a new feature then bumping is worthwhile.

A major version bump in particular could induce work and compat issues to users.

]
libcloud = [
"apache-libcloud",
Expand Down
25 changes: 15 additions & 10 deletions storages/backends/gcloud.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
from storages.utils import to_bytes

try:
from google import auth
from google.auth.transport import requests
from google.cloud.exceptions import NotFound
from google.cloud.storage import Blob
from google.cloud.storage import Client
Expand Down Expand Up @@ -142,12 +144,18 @@ def get_default_settings(self):
# roll over.
"max_memory_size": setting("GS_MAX_MEMORY_SIZE", 0),
"blob_chunk_size": setting("GS_BLOB_CHUNK_SIZE"),
"sa_email": setting("GS_SA_SIGNING_EMAIL")
}

@property
def client(self):
if self._client is None:
self._client = Client(project=self.project_id, credentials=self.credentials)
project_id, credentials = self.project_id, self.credentials
if project_id is None and credentials is None:
credentials, project_id = auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
if not hasattr(credentials, "service_account_email"):
credentials.service_account_email = self.sa_email
self._client = Client(project=project_id, credentials=credentials)
return self._client

@property
Expand Down Expand Up @@ -319,17 +327,14 @@ def url(self, name, parameters=None):
quoted_name=_quote(name, safe=b"/~"),
)
else:
default_params = {
"bucket_bound_hostname": self.custom_endpoint,
params = {
"service_account_email": self.credentials.service_account_email,
"access_token": self.credentials.token,
Copy link

@yohannes15 yohannes15 Jul 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently self.credentials throws a attribute error here as well since self.credentials hasn't been changed. the credentials that were set in the client @Property doesn't flow over here. Might have to either set the self.credentials in there, or use self._client._credentials. 1st one seems ugly in setting a instance variable in an other property, 2nd option uses private attribute from Client.. There is probably a 3rd option but that might involve some additional clean up

"credentials": self.credentials,
"expiration": self.expiration,
"version": "v4",
}
params = parameters or {}

for key, value in default_params.items():
if value and key not in params:
params[key] = value

if self.custom_endpoint:
params["api_access_endpoint"] = self.custom_endpoint
Comment on lines -322 to +337
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This set of changes reverts using the parameters bit of url(). Sorry if there is no test currently covering this.

return blob.generate_signed_url(**params)

def get_available_name(self, name, max_length=None):
Expand Down