Google-cloud-node: GCS getSignedUrl() fails when run from Cloud Functions
Summary: when using Cloud Functions, calls to getSignedUrl() fail, with an error pointing to bad credentials. If I supply my own p12 credentials, rather than relying on application default credentials from Cloud Functions, it works, but that's a bad user experience.
Environment details
- OS: Cloud Functions
- Node.js version: whatever the default for Cloud Functions is.
- npm version: whatever the default for Cloud Functions is.
- google-cloud-node version: 1.1.1
Steps to reproduce
1. Create a Cloud Function that includes the following code (I'm using Typescript):
import * as _storage from '@google-cloud/storage'
import * as functions from 'firebase-functions'
const bucket = _storage().bucket(functions.config().firebase.storageBucket);
var path =
const file = bucket.file(path);
var config = {
action: 'read',
expires: '03-17-2025'
};
var su = await file.getSignedUrl(config);
2. Deploy and run the function.
Expected behavior is the creation of a signed URL.
Instead, in the logs in the Cloud Functions tab of the Firebase Console say:
SigningError: Could not get credentials without a JSON, pem, or p12 keyfile.
at /user_code/node_modules/@google-cloud/storage/src/file.js:1465:16
at /user_code/node_modules/@google-cloud/storage/node_modules/google-auto-auth/index.js:121:7
at process._tickDomainCallback (internal/process/next_tick.js:129:7)
startupandrew
All 12 comments
Unfortunately, we are not able to implement this. There is an issue discussing this problem on the centralized repo for all google-cloud client libraries: https://github.com/GoogleCloudPlatform/gcloud-common/issues/180
stephenplusplus
on 12 Jun 2017
Ok, can we leave this bug open, even if it's blocked by another issue? It's still a bug.
startupandrew
on 13 Jun 2017
I'd rather track it upstream, since as it stands now, it's not technically possible. If and when it is, we will use that centralized issue as the starting point for all of the client library repos to take action from.
stephenplusplus
on 13 Jun 2017
Any news?
I've been trying to get this work but is just impossible :sob:
jobsamuel
on 13 Aug 2017
I want to get the download URL of my file. For the same, I tried the above approach and it didn't work as expected. Is there any update or workaround possible to use this.
farhankhwaja
on 1 Sep 2017
no updates?
softmarshmallow
on 30 Aug 2018
@stephenplusplus I'm having trouble figuring out what's missing here. I think we did a bunch of the updates needed to google-auth-library to support this, right?
JustinBeckwith
on 30 Aug 2018
Yes, I believe it should just work. If somebody is still having issues, could you confirm that the steps from the opening post still produce the same error? (Be sure to update to the latest of our libraries).
stephenplusplus
on 12 Sep 2018
Tried this today, got the following error
{ SigningError: Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/fake-project/serviceAccounts/[email protected].
at /srv/node_modules/firebase-admin/node_modules/@google-cloud/storage/src/file.js:1784:16
at Request._callback (/srv/node_modules/google-auto-auth/index.js:362:9)
at Request.self.callback (/srv/node_modules/request/request.js:185:22)
at emitTwo (events.js:126:13)
at Request.emit (events.js:214:7)
at Request.<anonymous> (/srv/node_modules/request/request.js:1161:10)
at emitOne (events.js:116:13)
at Request.emit (events.js:211:7)
at IncomingMessage.<anonymous> (/srv/node_modules/request/request.js:1083:12)
at Object.onceWrapper (events.js:313:30)
message: 'Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/fake-project/serviceAccounts/[email protected].' }
The upstream ticket mentions needing the signBlob permission.
jspri
on 17 Dec 2018
Hi, also getting error on this:
SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Identity and Access Management (IAM) API has not been used in project XXX before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=XXX then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
at authClient.sign.then.catch.err (/srv/node_modules/@google-cloud/storage/build/src/file.js:1855:22)
at <anonymous>
at process._tickDomainCallback (internal/process/next_tick.js:229:7)
After enabling the API, then getting:
SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/XXX/serviceAccounts/[email protected].
at authClient.sign.then.catch.err (/srv/node_modules/@google-cloud/storage/build/src/file.js:1855:22)
at <anonymous>
at process._tickDomainCallback (internal/process/next_tick.js:229:7)
smaugho
on 10 Mar 2019
I'm getting the exact same as above. No further information on this?
markclayton
on 30 Mar 2019
Greetings! If you're having trouble, would you mind posting a new issue with details? Thanks!
JustinBeckwith
on 31 Mar 2019
Related issues
charly37
路
3Comments
stephenplusplus
路
3Comments
jgeewax
路
4Comments
dsimmons
路
4Comments
ddunkin
路
3Comments
Most helpful comment
I want to get the download URL of my file. For the same, I tried the above approach and it didn't work as expected. Is there any update or workaround possible to use this.