Last active
November 6, 2024 22:23
-
-
Save jezhumble/91051485db4462add82045ef9ac2a0ec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2019 Google LLC. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # This snippet shows you how to use Blob.generate_signed_url() from within compute engine / cloud functions | |
| # as described here: https://cloud.google.com/functions/docs/writing/http#uploading_files_via_cloud_storage | |
| # (without needing access to a private key) | |
| # Note: as described in that page, you need to run your function with a service account | |
| # with the permission roles/iam.serviceAccountTokenCreator | |
| import os, google.auth | |
| from google.auth.transport import requests | |
| from google.auth import compute_engine | |
| from datetime import datetime, timedelta | |
| from google.cloud import storage | |
| auth_request = requests.Request() | |
| credentials, project = google.auth.default() | |
| storage_client = storage.Client(project, credentials) | |
| data_bucket = storage_client.lookup_bucket(os.getenv("BUCKET_NAME")) | |
| signed_blob_path = data_bucket.blob("FILENAME") | |
| expires_at_ms = datetime.now() + timedelta(minutes=30) | |
| # This next line is the trick! | |
| signing_credentials = compute_engine.IDTokenCredentials(auth_request, "", service_account_email=credentials.service_account_email) | |
| signed_url = signed_blob_path.generate_signed_url(expires_at_ms, credentials=signing_credentials, version="v4") |
Not without a private key, which is super problematic both for production and local development.
If you need to accomplish this task within a Firebase Cloud function using .onCall(), please follow the steps outlined below:
from firebase_admin import storage
from google.auth import compute_engine
from google.auth.transport.requests import Request
from datetime import timedelta
def your_function(parameter):
# Create an authentication request
auth_request = Request()
# Get your IDTokenCredentials
signing_credentials = compute_engine.IDTokenCredentials(
auth_request,
"",
service_account_email='<ADD YOUR SERVICE ACCOUNT MAIL(Principal)>'
)
# Get your storage bucket
data_bucket = storage.bucket('<YOUR BUCKET>')
# Generate a signed URL for your bucket
blob = data_bucket.blob(parameter)
url = blob.generate_signed_url(
expiration=timedelta(days=7),
credentials=signing_credentials,
version="v4"
)
return urlRemember to replace '<ADD YOUR SERVICE ACCOUNT MAIL(Principal)>' and '' with your actual service account email and bucket name, respectively.
If all of the above did not work for you, this worked for me:
https://stackoverflow.com/a/78647388/9713831
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@adriangb This is my understanding as well. But there's a way to sign completely offline AFAIR.