是的,您可以,但是我必须深入研究以找到方法(如果您不关心细节,请跳到最后)
如果您进入_signing.py file
623行,则可以看到
if access_token and service_account_email:
signature = _sign_message(string_to_sign, access_token, service_account_email)
...
如果提供access_token
和service_account_email
,则可以使用_sign_message
方法。此方法在此行使用IAM服务SignBlobAPI
这很重要,因为您现在可以在本地没有私钥的情况下对Blob进行签名!!因此,这解决了问题,并且以下代码可在Cloud Run上运行(而且我敢肯定,在Cloud Function上)
def sign_url():
from google.cloud import storage
from datetime import datetime, timedelta
import google.auth
credentials, project_id = google.auth.default()
# Perform a refresh request to get the access token of the current credentials (Else, it's None)
from google.auth.transport import requests
r = requests.Request()
credentials.refresh(r)
client = storage.Client()
bucket = client.get_bucket('EXAMPLE_BUCKET')
blob = bucket.get_blob('libraries/image_1.png')
expires = datetime.Now() + timedelta(seconds=86400)
# In case of user credential use, define manually the service account to use (for development purpose only)
service_account_email = "YOUR DEV SERVICE ACCOUNT"
# If you use a service account credential, you can use the embedded email
if hasattr(credentials, "service_account_email"):
service_account_email = credentials.service_account_email
url = blob.generate_signed_url(expiration=expires,service_account_email=service_account_email, access_token=credentials.token)
return url, 200
让我知道是否不清楚