gcsfs icon indicating copy to clipboard operation
gcsfs copied to clipboard
verified publisher icon fsspec

Support for IAM-based signing for GCS Bucket blobs

Open benglewis opened this issue 1 year ago • 1 comments

Current state:

Currently, gcsfs does not natively support generating signed URLs using IAM-based credentials provided by GCP Workload Identity or other non-private key credentials. This is a limitation when running on environments such as Google Kubernetes Engine (GKE) with Workload Identity, where only google.auth.compute_engine.credentials.Credentials are available (which is what IAM-based credentials which are provided via Workload Identity Federation and the recommended approach: GCP Best Practices for Workload Identity). These credentials do not include a private key, which is required for the current signing functionality in gcsfs.

Use case:

In environments like GKE with Workload Identity:

  • Using service account key files is discouraged for security reasons.
  • Credentials provided via Workload Identity rely on token-based authentication and require the use of the signBlob API to generate signed URLs.

Adding support for IAM-based signing would enable secure and native integration with GCP for generating signed URLs in such environments.

Proposed Solution:

Implement an alternative signing mechanism in gcsfs that leverages the IAM Service Account Credentials API to generate signed URLs. This could be achieved by: 1. Detecting the type of credentials in use (e.g., google.auth.compute_engine.credentials.Credentials). 2. Using the signBlob API to sign requests when private key-based credentials are unavailable.

Example of Desired Behavior:

The sign() method in gcsfs could use IAM credentials to generate signed URLs transparently, even in environments where private keys are unavailable. For example:

import gcsfs
fs = gcsfs.GCSFileSystem()
signed_url = fs.sign("bucket-name/object-name", expiration=3600)
print(signed_url)  # Uses IAM-based signing if private key is not present

Notes:

  • Proper configuration is needed to ensure the correct IAM permissions (e.g., roles/iam.serviceAccountTokenCreator) are in place.

Finally: I would be happy to open a PR if it is relevant.

benglewis avatar Dec 25 '24 09:12 benglewis

Sorry I didn't respond to this earlier. I would be happy to see the signing method you suggest submitted as a PR. I'm not sure if it would be possible to test this via our CI, though.

martindurant avatar Mar 17 '25 16:03 martindurant