Support redirects in gcs storage with default credentials #4295
Conversation
There was a problem hiding this comment.
It doesn't look like any new storage driver configuration is needed to support signing when using default credentials from any source, including credentials from logging in with the gcloud CLI. I would prefer not to add new configuration if it is not required.
Sadly adding this isn't backward compatible [...] so maybe it would be ok for a major release?
You're in luck! That major release is v3.0.0, which we have not yet tagged. You don't need to worry about this being a breaking change.
docs/content/storage-drivers/gcs.md
Outdated
|
|
||
| To use redirects when using default credentials assigned to a virtual machine you have to enable "IAM Service Account Credentials API" and grant `iam.serviceAccounts.signBlob` permission on the service account used for signing GCS URLs - under the hood GCP client will use [signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob) IAM API. | ||
|
|
||
| To use redirects with default credentials from Google Cloud CLI in addition to permissions mentioned above you have to configure `defaultcredentials.email`. |
There was a problem hiding this comment.
According to https://pkg.go.dev/cloud.google.com/go/storage#hdr-Credential_requirements_for_signing you just have to log into the gcloud CLI with impersonation enabled for signing to work without a GoogleAccessID. Why can't users just do that?
There was a problem hiding this comment.
You're right, I missed that part of documentation. I tested it now and it works like a charm
Signed-off-by: Tadeusz Dudkiewicz <tadeusz.dudkiewicz@rtbhouse.com>
c33b47b to
de450c9
Compare
Sure, it sounds reasonable. I've removed extra configuration and updated documentation. I thought about linking storage go docs, but I'm worried it may be a bit confusing so I decided no to.
Great, thanks a lot! |
Hi! GCS storage driver does not support redirect URLs only when configured to use application default credentials. Supporting this case looks useful in general and makes GCS driver behaviour consistent (currently, changing the configuration from using service account key to using default credentials may have an unexpected effect of making registry forward data increasing its' load).
This PR adds support and documentation for using redirects with default credentials. Since it was a very small change I've created the PR directly.
Sadly adding this isn't backward compatible - if someone is running a registry on a vm with default credentials and has left 'redirect' unconfigured then this PR is going to break their setup - after an upgrade they would start receiving errors if required IAM permissions weren't configured. It's easy to fix (either by configuring IAM, or by disabling 'redirect' in registry configuration), so maybe it would be ok for a major release? To make this backward compatible we could add an additional configurtation parameter (like this)...
WDYT, does it look ok?