Skip to content

Commit

Permalink
Unbreak compute engine url signing
Browse files Browse the repository at this point in the history
Signed-off-by: Tiger Kaovilai <[email protected]>

Remove doc assumptions that `GKE Workload Identity` = `Workload Identity Federation` and cannot generate signed URLs

Signed-off-by: Tiger Kaovilai <[email protected]>
  • Loading branch information
kaovilai committed Oct 5, 2023
1 parent 343aa79 commit 6dfc7c1
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,6 @@ This involves creating an external credential file and using it as `--secret-fil

#### Option 3: Using GKE Workload Identity

Keep in mind that [Workforce Identity Federation Users cannot generate signed URLs](https://cloud.google.com/iam/docs/federated-identity-supported-services#:~:text=workforce%20identity%20federation%20users%20cannot%20generate%20signed%20URLs.). This means, if you are using Workforce Identity Federation, you will not be able to run `velero backup logs`, `velero backup download`, `velero backup describe` and `velero restore describe`.

This requires a GKE cluster with workload identity enabled.

1. Create Velero Namespace
Expand Down
1 change: 1 addition & 0 deletions changelogs/unreleased/158-kaovilai
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Regression fix: Unbreak signed urls for compute engine
6 changes: 4 additions & 2 deletions velero-plugin-for-gcp/object_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -301,8 +301,10 @@ func (o *ObjectStore) SignBytes(bytes []byte) ([]byte, error) {
}

func (o *ObjectStore) CreateSignedURL(bucket, key string, ttl time.Duration) (string, error) {
if o.fileCredType != serviceAccountKey {
return "", errors.New("cannot sign blob using non SA file credentials")
// googleAccessID is initialized from ServiceAccount key file and compute engine credentials.
// If using external_account credentials, googleAccessID will be empty and we cannot create signed URL.
if o.googleAccessID == "" {
return "", errors.New("GoogleAccessID is empty, perhaps using external_account credentials, cannot create signed URL")
}
options := storage.SignedURLOptions{
GoogleAccessID: o.googleAccessID,
Expand Down

0 comments on commit 6dfc7c1

Please sign in to comment.