class safir.gcs.SignedURLService(service_account, lifetime=datetime.timedelta(seconds=3600))

Bases: object

Generate signed URLs for Google Cloud Storage blobs.

Uses default credentials plus credential impersonation to generate signed URLs for Google Cloud Storage blobs. This is the correct approach when running as a Kubernetes pod using workload identity.

  • service_account (str) – The service account to use to sign the URLs. The workload identity must have access to generate service account tokens for that service account.

  • lifetime (timedelta, default: datetime.timedelta(seconds=3600)) – Lifetime of the generated signed URLs.


The workload identity (or other default credentials) under which the caller is running must have roles/iam.serviceAccountTokenCreator on the service account given in the service_account parameter. This is how a workload identity can retrieve a key that can be used to create a signed URL.

See gcs_signedurl for additional details on how this works.

Methods Summary

signed_url(uri, mime_type)

Generate signed URL for a given storage object.

Methods Documentation

signed_url(uri, mime_type)

Generate signed URL for a given storage object.

  • uri (str) – URI for the storage object. This must start with s3:// and use the S3 URI syntax to specify bucket and blob of a Google Cloud Storage object.

  • mime_type (str | None) – MIME type of the object, for encoding in the signed URL.


New signed URL, which will be valid for as long as the lifetime parameter to the object.

Return type:



ValueError – The uri parameter is not an S3 URI.


This is inefficient, since it gets new signing credentials each time it generates a signed URL. Doing better will require figuring out the lifetime and refreshing the credentials when the lifetime has expired.