use a different cred for signing blobs from gcs

nwaughachukwuma · Nov 19, 2024 · 16e88aa · 16e88aa
1 parent 9d28f79
commit 16e88aa
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/api/src/services/storage.py b/api/src/services/storage.py
@@ -6,6 +6,8 @@
 from typing import Any, Dict
 from uuid import uuid4
 
+from google.auth import compute_engine, default
+from google.auth.transport import requests
 from google.cloud import storage
 from pydub import AudioSegment
 
@@ -100,8 +102,24 @@ def get_signed_url(self, blobname, expiration=datetime.timedelta(days=1)):
         if not blob.exists():
             raise Exception(f"Blob {blobname} does not exist")
 
-        return blob.generate_signed_url(
-            version="v4",
-            expiration=expiration,
-            method="GET",
-        )
+        if os.environ.get("ENV", "dev") == "prod":
+            credentials, _ = default()
+            auth_request = requests.Request()
+            credentials.refresh(auth_request)
+
+            signing_credentials = compute_engine.IDTokenCredentials(
+                auth_request, "", service_account_email=credentials.service_account_email
+            )
+
+            return blob.generate_signed_url(
+                version="v4",
+                expiration=expiration,
+                method="GET",
+                credentials=signing_credentials,
+            )
+        else:
+            return blob.generate_signed_url(
+                version="v4",
+                expiration=expiration,
+                method="GET",
+            )