You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 31, 2026. It is now read-only.
I am calling generate_signed_post_policy_v4() on pod running on GKE using Application default credentials to avoid using service account key.
In latest code, even though generate_signed_post_policy_v4() support passing in service_account_email and access_token and use them to generate signature, it still unconditional call ensure_signed_credentials()
If we are Application default credentials and getting the credential from GKE metadata server, it will not pass the ensure_signed_credentials() checking and returning AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.
generate_signed_post_policy_v4() should have similar handling as in generate_signed_url_v4()
# If you are on Google Compute Engine, you can't generate a signed URL.
# See https://github.com/googleapis/google-cloud-python/issues/922
client_email=service_account_email
ifnotaccess_tokenornotservice_account_email:
ensure_signed_credentials(credentials)
client_email=credentials.signer_email
My current workaround is to implement class an pass it to generate_signed_post_policy_v4() as credentials to by-pass the checking of ensure_signed_credentials()
fromgoogle.auth.credentialsimportSigningclass_SigningCredential(Signing):
def__init__(self, service_account_email: str):
self._signer_email=service_account_email@propertydefsigner_email(self):
returnself._signer_email@propertydefsigner(self):
raiseNotImplementedError('Not in use')
defsign_bytes(self, message):
raiseNotImplementedError('Not in use')
I am calling
generate_signed_post_policy_v4()on pod running on GKE using Application default credentials to avoid using service account key.In latest code, even though
generate_signed_post_policy_v4()support passing inservice_account_emailandaccess_tokenand use them to generate signature, it still unconditional callensure_signed_credentials()python-storage/google/cloud/storage/client.py
Lines 1726 to 1727 in 02a972d
If we are Application default credentials and getting the credential from GKE metadata server, it will not pass the
ensure_signed_credentials()checking and returningAttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.generate_signed_post_policy_v4()should have similar handling as ingenerate_signed_url_v4()python-storage/google/cloud/storage/_signing.py
Lines 541 to 547 in e3cfc47
My current workaround is to implement class an pass it to
generate_signed_post_policy_v4()ascredentialsto by-pass the checking ofensure_signed_credentials()Environment details
google-cloud-storageversion:2.17.0