@@ -1051,15 +1051,30 @@ def get_signed_artifact_url(
10511051 f"The get_signed_artifact_url method only supports Google Cloud Storage URIs, but got { artifact_data .uri = }
10521052 )
10531053
1054+ import os
10541055 from google .cloud import storage
1055- from google import auth
1056-
1057- # Avoiding error: "you need a private key to sign credentials."
1058- # "the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token.
1059- # "see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details."
1060- credentials = auth .default (
1061- scopes = ["https://www.googleapis.com/auth/cloud-platform.read-only" ]
1062- )[0 ]
1056+
1057+ # On GKE/Cloud Run the default SA credentials already have a private key.
1058+ # Locally, ADC is typically an OAuth user token (no private key), so we allow
1059+ # pointing GCS_SIGNING_KEY_FILE at a service account JSON key file to use instead.
1060+ sa_key_file = os .environ .get ("GCS_SIGNING_KEY_FILE" )
1061+ if sa_key_file :
1062+ from google .oauth2 import service_account
1063+
1064+ credentials = service_account .Credentials .from_service_account_file (
1065+ sa_key_file ,
1066+ scopes = ["https://www.googleapis.com/auth/cloud-platform" ],
1067+ )
1068+ else :
1069+ from google import auth
1070+
1071+ # Avoiding error: "you need a private key to sign credentials."
1072+ # "the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token.
1073+ # "see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details."
1074+ credentials = auth .default (
1075+ scopes = ["https://www.googleapis.com/auth/cloud-platform" ]
1076+ )[0 ]
1077+
10631078 storage_client = storage .Client (credentials = credentials )
10641079 blob = storage .Blob .from_string (uri = artifact_data .uri , client = storage_client )
10651080 signed_url = blob .generate_signed_url (
0 commit comments