Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getSignedUrl using Workload Identity Federation #1550

Closed
andrewmcoupe opened this issue Aug 23, 2021 · 7 comments
Closed

getSignedUrl using Workload Identity Federation #1550

andrewmcoupe opened this issue Aug 23, 2021 · 7 comments
Assignees
@danielbankhead
Labels
api: storage Issues related to the googleapis/nodejs-storage API. external This issue is blocked on a bug with the actual product. priority: p2 Moderately-important priority. Fix may not be included in next release. type: question Request for information or clarification. Not an issue.

Comments

@andrewmcoupe
Copy link

andrewmcoupe commented Aug 23, 2021
edited
Loading

I'm using google-auth-library to access Google Cloud resources from AWS which works nicely and allows me to upload a file to my required bucket. When I attempt to get a signed url using

const [url] = await myBucket
        .file(fileName)
        .getSignedUrl({
          expires: Date.now() + 15 * 60 * 1000, // 15 minutes
          action: 'read',
        });

I get a SignatureDoesNotMatch error when trying to access the URL in a web browser.

If I generate a service account keyfile and provide the private_key field from the file when I instantiate Storage then the signed URL works (see code below).

Does getting a signed URL not work well with Workload Identity Federation?

      credentials: {
        client_email: clientEmail!,
        private_key: process.env.GOOGLE_PRIVATE_KEY.replace(
          new RegExp('\\\\n', 'g'),
          '\n',
        ),
      },
    });

For some context, I followed this walkthrough: https://www.youtube.com/watch?v=Eh0mJwFo9Ak&t=800s
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/nodejs-storage API. label Aug 23, 2021
@JesseLovelace JesseLovelace added type: question Request for information or clarification. Not an issue. priority: p2 Moderately-important priority. Fix may not be included in next release. labels Aug 24, 2021
@JesseLovelace
Copy link
Contributor

Hey Andrew, thanks for bringing this to our attention. I'm looking into this, trying to familiarize myself with Workload Identity Federation. Just to make sure I have it right, you've created an AWS role which is impersonating a GCS service account, and pointed GOOGLE_APPLICATION_CREDENTIALS to the file with the credentials for this role in the settings for your lambda function? The service account is ultimately used in the signing process so it's possible that with this setup it's not resolving correctly. At first glance I'm not sure why but my guess would be some issue with the auth library

@andrewmcoupe
Copy link
Author

@JesseLovelace Yep, you have my setup correct. The path to the credentials seems to be resolving as I can access the storage bucket with no problems, just resolving a signed URL seems to be the blocker. To get this I have to generate a service account creds file and use the private_key from there.

@JesseLovelace
Copy link
Contributor

Sorry for such a sanity-check type question, but what version of google-auth-library are you using? I'm only asking because it seems that support for signing via impersonated credentials was added very recently, as in 12 days ago recently. If you're on that version or later I'll cut an issue with google-auth-library, I have to assume it's some problem with that implementation of signing via impersonated credentials

@andrewmcoupe
Copy link
Author

@JesseLovelace I am actually on 7.6.2 so it should work? I've looked at the changes made in that release and I have the correct permissions setup for the service account being impersonated (Token Creator).

@JesseLovelace JesseLovelace mentioned this issue Aug 26, 2021
Closed
@JesseLovelace
Copy link
Contributor

Cut googleapis/google-auth-library-nodejs#1239 with auth library

@shaffeeullah shaffeeullah added the external This issue is blocked on a bug with the actual product. label Sep 2, 2021
@danielbankhead danielbankhead self-assigned this Apr 29, 2022
@danielduhh
Copy link

Can we close this? @ddelgrosso1

@ddelgrosso1
Copy link
Contributor

This should now be resolved with the above fixes. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielbankhead danielbankhead

Labels
api: storage Issues related to the googleapis/nodejs-storage API. external This issue is blocked on a bug with the actual product. priority: p2 Moderately-important priority. Fix may not be included in next release. type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@danielduhh @danielbankhead @andrewmcoupe @shaffeeullah @JesseLovelace @ddelgrosso1