Skip to content

Commit

Permalink
fix(expiration): Add expiration back
Browse files Browse the repository at this point in the history
Signed-off-by: dark0dave <dark0dave@mykolab.com>
  • Loading branch information
dark0dave committed Feb 20, 2024
1 parent f06cfdb commit 3d2a913
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 23 deletions.
10 changes: 10 additions & 0 deletions docs/backends/gcloud.rst
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ For development use cases, or other instances outside Google infrastructure:

Alternatively, you can use the setting ``credentials`` or ``GS_CREDENTIALS`` as described below.

It is also now possible to use workload identity by providing the service account via ``GS_SA_SIGNING_EMAIL``.

Settings
~~~~~~~~
Expand Down Expand Up @@ -219,3 +220,12 @@ Settings
It supports `timedelta`, `datetime`, or `integer` seconds since epoch time.

Note: The maximum value for this option is 7 days (604800 seconds) in version `v4` (See this `Github issue <https://github.com/googleapis/python-storage/issues/456#issuecomment-856884993>`_)

``sa_email`` or ``GS_SA_SIGNING_EMAIL``

default: ``''``

This is the signing email if it is not fetched from the credentials. Or if you wish to sign the signed urls with a different service_account.

As above please note that, Default Google Compute Engine (GCE) Service accounts are
`unable to sign urls <https://googlecloudplatform.github.io/google-cloud-python/latest/storage/blobs.html#google.cloud.storage.blob.Blob.generate_signed_url>`_.
38 changes: 15 additions & 23 deletions storages/backends/gcloud.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import gzip
import logging
import io
import mimetypes
from datetime import timedelta
Expand Down Expand Up @@ -37,7 +36,6 @@

CONTENT_ENCODING = "content_encoding"
CONTENT_TYPE = "content_type"
_LOGGER = logging.getLogger(__name__)


class GoogleCloudFile(CompressedFileMixin, File):
Expand Down Expand Up @@ -151,15 +149,13 @@ def get_default_settings(self):

@property
def client(self):
credentials, project_id = auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
credentials.refresh(requests.Request())
if not hasattr(credentials, "service_account_email"):
credentials.service_account_email = self.sa_email
_LOGGER.debug(f"Signing email: {credentials.service_account_email}")
self.credentials = credentials
if self._client is None:
self._client = Client(project=project_id, credentials=self.credentials)
return self._client
project_id, credentials = self.project_id, self.credentials
if project_id is None and credentials is None:
credentials, project_id = auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
if not hasattr(credentials, "service_account_email"):
credentials.service_account_email = self.sa_email
self._client = Client(project=project, credentials=credentials)

@property
def bucket(self):
Expand Down Expand Up @@ -329,20 +325,16 @@ def url(self, name, parameters=None):
storage_base_url=self.custom_endpoint,
quoted_name=_quote(name, safe=b"/~"),
)
elif not self.custom_endpoint:
return blob.generate_signed_url(**self.signed_url_extra())
else:
return blob.generate_signed_url(
api_access_endpoint=self.custom_endpoint,
**self.signed_url_extra()
)

def signed_url_extra(self):
return {
"service_account_email": self.credentials.service_account_email,
"access_token": self.credentials.token,
"credentials": self.credentials,
}
params = {
"service_account_email": self.credentials.service_account_email,
"access_token": self.credentials.token,
"credentials": self.credentials,
"expiration": self.expiration,
}
if self.custom_endpoint:
params["api_access_endpoint"] = self.custom_endpoint
return blob.generate_signed_url(**params)

def get_available_name(self, name, max_length=None):
name = clean_name(name)
Expand Down

0 comments on commit 3d2a913

Please sign in to comment.