SignedURLService¶
- class safir.gcs.SignedURLService(service_account, lifetime=datetime.timedelta(seconds=3600))¶
Bases:
object
Generate signed URLs for Google Cloud Storage blobs.
Uses default credentials plus credential impersonation to generate signed URLs for Google Cloud Storage blobs. This is the correct approach when running as a Kubernetes pod using workload identity.
- Parameters:
Notes
The workload identity (or other default credentials) under which the caller is running must have
roles/iam.serviceAccountTokenCreator
on the service account given in theservice_account
parameter. This is how a workload identity can retrieve a key that can be used to create a signed URL.See gcs_signedurl for additional details on how this works.
Methods Summary
signed_url
(uri, mime_type)Generate signed URL for a given storage object.
Methods Documentation
- signed_url(uri, mime_type)¶
Generate signed URL for a given storage object.
- Parameters:
- Returns:
New signed URL, which will be valid for as long as the lifetime parameter to the object.
- Return type:
- Raises:
ValueError – The
uri
parameter is not an S3 URI.
Notes
This is inefficient, since it gets new signing credentials each time it generates a signed URL. Doing better will require figuring out the lifetime and refreshing the credentials when the lifetime has expired.