Google-cloud-php: Unable to create a signed url for Google Storage using service account on App Engine

Created on 11 Aug 2020  路  10Comments  路  Source: googleapis/google-cloud-php

I'm unable to successfully retrieve a signed url for a Storage object in our App Engine app, using the default service account.

Logs show the error:

{
  "textPayload": "Message: Client error: `POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:signBlob?alt=json` resulted in a `403 Forbidden` response:",
  "insertId": "xxxxxx",
  "resource": {
    "type": "gae_app",
    "labels": {
      "module_id": "default",
      "version_id": "20200811t133023",
      "zone": "australia-southeast1-1",
      "project_id": "xxxxxx"
    }
  },
  "timestamp": "2020-08-11T09:13:09.844868Z",
  "labels": {
    "clone_id": "xxxxxx"
  },
  "logName": "projects/xxxxxx/logs/stderr",
  "receiveTimestamp": "2020-08-11T09:13:10.178345276Z"
}

Environment details

  • OS: Google App Engine runtime: php73
  • Package name and version: "google/cloud-storage": "^1.22"

Code example

$nowPlus24Hours = new \DateTime();
$nowPlus24Hours->add(new \DateInterval('P1D'));
$storage = new StorageClient();
$signedUrl = $storage->bucket($bucketRef)->object($imageRef)->signedUrl($nowPlus24Hours);
storage question

Most helpful comment

Make certain that your App Engine service account has the iam.serviceAccounts.signBlob IAM permission. It's part of the Service Account Token Creator role.

All 10 comments

Make certain that your App Engine service account has the iam.serviceAccounts.signBlob IAM permission. It's part of the Service Account Token Creator role.

As viewed in the IAM & Admin section of the Google Cloud Platform console the service account does have the role Service Account Token Creator.

Perhaps interesting is the fact that instead of relying on GOOGLE_APPLICATION_CREDENTIALS if I specify a key file (for the same service account) things work and I no longer get the error message in the logs.

Code Example

$storage = new StorageClient([
  'keyFilePath' => __DIR__ . '/../../config/abstract-key-xxxxxx.json'
]);

Since I'd generated a new key so that I could specify the key file, I tried removing the old key and things are now working as expected (without having to specify the key file in the live environment). The effect was not immediate though - I assume there must be some time before the auth is rechecked (and therefore registering the updated permissions).

Please ignore the last comment. I was mistaken. Without specifying the key file the retrieval of the signed url fails.

I just wanted to add that I have the same Environment details (php73 and "google/cloud-storage": "^1.22") and I'm experiencing the exact same problem as bretttoolin.

It's possible to sign the url if I do it on local machine with a key file (for the App Engine default service account). However when deployed to App Engine, it uses the same service account but still fails. I get the same error message but also this:
"Request had insufficient authentication scopes".

I'm also experiencing this issue. php73, "google/cloud-storage": "^1.23".

Trying to let GAE handle authentication itself using the default service account, but getting the same "Request had insufficient authentication scopes" and "...signBlob?alt=jsonresulted in a403 Forbidden..."

Made sure i had the Service Account Token Creator role setup in IAM, but no luck.

I'm experiencing the same issue. Service Account Token Creator role has been assigned to the App Engine default service account, but still no luck.

I'm experiencing the same issue on Coud Run. Service Account Token Creator role has been assigned to service account, but still no luck.

I believe the issue is for some reason the default scope, https://www.googleapis.com/auth/devstorage.full_control, is insufficient when using Compute Metadata credentials. Try this:

$storage = new StorageClient([
    'scopes' => [
        'https://www.googleapis.com/auth/iam',
        'https://www.googleapis.com/auth/devstorage.full_control',
    ]
]);
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Najtmare picture Najtmare  路  6Comments

highstrike picture highstrike  路  5Comments

ghost picture ghost  路  8Comments

mjniuz picture mjniuz  路  6Comments

smalot picture smalot  路  6Comments