Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed URL support #170

Open
grindarius opened this issue Nov 24, 2024 · 3 comments
Open

Signed URL support #170

grindarius opened this issue Nov 24, 2024 · 3 comments
Labels
enhancement New feature or request question Further information is requested

Comments

@grindarius
Copy link

Hello and thank you for this amazing library.

I've been working with this library for quite a while and it's really good. I wanna ask is it possible to support signed url generation for google cloud storage with this crate? I am willing to contribute to make it happen. Thank you.
@abdolence
Copy link
Owner

abdolence commented Nov 24, 2024
edited
Loading

Hey,

Seems you have everything needed available:

  1. You need to creating an URL to sign (kind of rewrite this example for Python): https://cloud.google.com/storage/docs/access-control/signing-urls-manually#python-sample)

  2. To sign you can use IAM client (or you can actually use any library that supports RSA signatures with SHA-256):

    let client: GoogleApi<IamCredentialsClient<GoogleAuthMiddleware>> = GoogleApi::from_function(
        IamCredentialsClient::new,
        "https://iamcredentials.googleapis.com",
        None,
    )
    .await?;

    let resp = client
        .get()
        .sign_blob(
            tonic::Request::new(
                gcloud_sdk::google::iam::credentials::v1::SignBlobRequest {
                    name: "projects/-/serviceAccounts/<your-sa@email>".to_string(),
                    delegates: vec![],
                    payload: canonical_req.as_bytes().to_vec(),
                }
            )
        )
        .await?;

If you want to make an auxiliary function to help others, feel free to open PR for sure :)

@abdolence abdolence added question Further information is requested enhancement New feature or request labels Nov 24, 2024
@grindarius
Copy link
Author

or you can actually use any library that supports RSA signatures with SHA-256

Does this mean I need to extend the Credentials enum, and if the service accout is present, load it into ring and use ring to sign right?

gcloud-sdk-rs/gcloud-sdk/src/token_source/credentials.rs

Lines 14 to 19 in db03cc9

pub enum Credentials {
ServiceAccount(ServiceAccount),
User(User),
// GCP Keyless integration with external parties such as GitHub
ExternalAccount(ExternalAccount),
}

@abdolence
Copy link
Owner

If you can use signBlob it is preferable (more secure setup), so you don't have to introduce and manually rotate JSON private keys.

Otherwise, no need to introduce any other type, you just need to read JSON file using existing functions like from_well_known_file/from_file/fron_json to read Credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abdolence @grindarius