google-cloud-platformterraformgoogle-cloud-storage

How to Generate a Signed URL for storage bucket in Terraform without providing credentials


I am trying to generate a signed URL for an object in Google Cloud Storage using Terraform. Here is my code for reference

variables.tf

variable "create_bucket_object" {
  default = true
}

variable "bucket_object" {
  default = [
    {
      name    = "flex/user.txt"
      content = "I am testing"
    },
    {
      name    = "where/are/you/test.txt"
      content = "I am inside bucket"
    },
    {
      name    = "who/am/i"
      content = " "
    }
  ]
}

main.tf

resource "google_storage_bucket" "bucket" {
  name                        = "test-bucket"
  location                    = "europe-west2"
  uniform_bucket_level_access = true
  force_destroy               = true
  storage_class               = "COLDLINE"
}

resource "google_storage_bucket_object" "object" {
  for_each   = { for item in var.bucket_object : item.name => item if var.create_bucket_object }
  name       = each.key
  bucket     = google_storage_bucket.bucket.name
  content    = lookup(each.value, "content", null)
  depends_on = [google_storage_bucket.bucket]
}

data "google_storage_object_signed_url" "get_url" {
  bucket   = google_storage_bucket.bucket.name
  path     = "where/are/you/test.txt"
  duration = "2h"
}

I am trying to create the data block signed URL without using credentials, but I am encountering the following error

Error: Error parsing credentials: google: read JWT from JSON credentials: 'type' field is "external_account" (expected "service_account")

Since this is a production project, I don't have permission to download the JSON file. Is there a way to use the data block for the signed URL without providing the credentials


Solution

  • Providing credentials when generating signed URLs is necessary, as they are required for authentication. You can use Application Default Credentials to look for your credentials automatically. However, based on the Terraform documentation, the default google credentials configured by gcloud sdk don't include the private key which is required to sign the URL.

    You can also try creating a service account key which you can use in the credentials argument. Here is the documentation on how to create and delete service account keys.