How do I successfully generate signed URLs to cloud storage objects when using workload identity federation?

This issue has been tracked since 2022-04-13.


  • Some of my tests generate signed URLs to Google Cloud Storage objects, but this does not work with workload identity federation
  • My GitHub CI workflow uses workload identity federation to authenticate, which has worked fine with all other cloud operations carried out in the tests
  • The tests pass when using an actual service account file locally

Expected behavior

The signed URLs to be generated normally

Observed behavior

As seen here, I get the following failed test

ERROR: test_create_signed_url (
Test that a signed URL to a cloud object can be created and used to access the file.
Traceback (most recent call last):
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/tests/cloud/storage/", line 323, in test_create_signed_url
    url = self.storage_client.generate_signed_url(
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/octue/cloud/storage/", line 280, in generate_signed_url
    return blob.generate_signed_url(expiration=expiration, **api_access_endpoint)
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/.tox/py/lib/python3.8/site-packages/google/cloud/storage/", line 621, in generate_signed_url
    return helper(
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/.tox/py/lib/python3.8/site-packages/google/cloud/storage/", line 396, in generate_signed_url_v2
    signed_query_params = get_signed_query_params_v2(
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/.tox/py/lib/python3.8/site-packages/google/cloud/storage/", line 80, in get_signed_query_params_v2
  File "/home/runner/work/octue-sdk-python/octue-sdk-python/.tox/py/lib/python3.8/site-packages/google/cloud/storage/", line 52, in ensure_signed_credentials
    raise AttributeError(
AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.identity_pool.Credentials'> just contains a token. see for more details.

Action YAML

Log output

Additional information

I found this similar issue for the google-cloud-go package and attempted some of the solutions, but they didn't work.

sethvargo wrote this answer on 2022-04-13

Hi @cortadocodes

Thank you for opening an issue. When using an exported service account key, the URL is signed with the private key embedded in the service account (there's no API call to GCP). When using WIF, there is no private key material stored locally, so you need to use the iamcredentials API's signBlob function to generate the signature.

This process is documented in the GCS documentation for signing:

Your programming language should have a library for performing RSA signatures. Alternatively, you can use the IAM signBlob method provided by Google Cloud if your expiration time is 12 hours or less.

So the algorithm is:

  1. Build the canonical request
  2. Build the string to sign
  3. Sign it with signBlob
  4. Concatenate to the URL

Unfortunately it doesn't look like there's a native function in the Python SDK to do this yet.

Does that make sense?

cortadocodes wrote this answer on 2022-04-18

Thank you for your quick reply @sethvargo! That makes sense. Do you know if there will be a native function in the python SDK anytime soon to do this?

sethvargo wrote this answer on 2022-04-18

Hi @cortadocodes - I'm not sure. It would be best to file an issue against the Python library directly:

sethvargo wrote this answer on 2022-04-22

Hi @cortadocodes

I'm going to close this out. Let me know if you need any more assistance!

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3


Issue Title Created Date Updated Date