From 16e88aa46a1289124a6311ee0ffb05ca1a6df82b Mon Sep 17 00:00:00 2001 From: Chukwuma Nwaugha Date: Tue, 19 Nov 2024 16:29:59 +0000 Subject: [PATCH] use a different cred for signing blobs from gcs --- api/src/services/storage.py | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/api/src/services/storage.py b/api/src/services/storage.py index 28b3326..9793d03 100644 --- a/api/src/services/storage.py +++ b/api/src/services/storage.py @@ -6,6 +6,8 @@ from typing import Any, Dict from uuid import uuid4 +from google.auth import compute_engine, default +from google.auth.transport import requests from google.cloud import storage from pydub import AudioSegment @@ -100,8 +102,24 @@ def get_signed_url(self, blobname, expiration=datetime.timedelta(days=1)): if not blob.exists(): raise Exception(f"Blob {blobname} does not exist") - return blob.generate_signed_url( - version="v4", - expiration=expiration, - method="GET", - ) + if os.environ.get("ENV", "dev") == "prod": + credentials, _ = default() + auth_request = requests.Request() + credentials.refresh(auth_request) + + signing_credentials = compute_engine.IDTokenCredentials( + auth_request, "", service_account_email=credentials.service_account_email + ) + + return blob.generate_signed_url( + version="v4", + expiration=expiration, + method="GET", + credentials=signing_credentials, + ) + else: + return blob.generate_signed_url( + version="v4", + expiration=expiration, + method="GET", + )