I am trying to generate a signed URL for an object in Google Cloud Storage using Terraform. Here is my code for reference
variables.tf
variable "create_bucket_object" {
default = true
}
variable "bucket_object" {
default = [
{
name = "flex/user.txt"
content = "I am testing"
},
{
name = "where/are/you/test.txt"
content = "I am inside bucket"
},
{
name = "who/am/i"
content = " "
}
]
}
main.tf
resource "google_storage_bucket" "bucket" {
name = "test-bucket"
location = "europe-west2"
uniform_bucket_level_access = true
force_destroy = true
storage_class = "COLDLINE"
}
resource "google_storage_bucket_object" "object" {
for_each = { for item in var.bucket_object : item.name => item if var.create_bucket_object }
name = each.key
bucket = google_storage_bucket.bucket.name
content = lookup(each.value, "content", null)
depends_on = [google_storage_bucket.bucket]
}
data "google_storage_object_signed_url" "get_url" {
bucket = google_storage_bucket.bucket.name
path = "where/are/you/test.txt"
duration = "2h"
}
I am trying to create the data block signed URL without using credentials, but I am encountering the following error
Error: Error parsing credentials: google: read JWT from JSON credentials: 'type' field is "external_account" (expected "service_account")
Since this is a production project, I don't have permission to download the JSON file. Is there a way to use the data block for the signed URL without providing the credentials
Providing credentials when generating signed URLs is necessary, as they are required for authentication. You can use Application Default Credentials to look for your credentials automatically. However, based on the Terraform documentation, the default google credentials configured by gcloud sdk don't include the private key which is required to sign the URL.
You can also try creating a service account key which you can use in the credentials argument. Here is the documentation on how to create and delete service account keys.