Solved: google storage signBlob error

icepaco33 · 09-03-2023 06:05 PM

Greetings everyone,

I am trying to use SignBlob to allow direct access to Google storage to my users in a Cloud Run app.

I have setup this :

opts := &storage.SignedURLOptions{
        GoogleAccessID: serviceAccountName,
        Scheme:         storage.SigningSchemeV4,
        Method:         "PUT",
        ContentType:    ct,
        Headers: []string{
            "Content-Type:application/octet-stream",
        },
        Expires: time.Now().Add(15 * time.Minute),

And the service at serviceName has the iam.serviceAccounts.signBlob permission

The SignBlob is making this call Call to iamcredentials.googleapis.com
This returns either403 or 404 ...

And then I get the error : "unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist)."

Any idea what's going on ?Thanx !

icepaco33

Ok so turns out that the problem was that I didn't specify the

SERVICE_NAME
var when I launched the cloud run (see post above). By specifying the service name with the proper role, everything is working just fine...

View solution in original post

robertcarlos

Hi @icepaco33,

Welcome to Google Cloud Community!

You need to assign Service Account Token Creator role as this contains the permission iam.serviceAccounts.signBlob that lets you sign binary blobs.

You may also check these troubleshooting steps for both Cloud Run and Cloud Storage for 403 and/or 404 errors:

Hope this helps.

icepaco33

Hello @robertcarlos ,

First, thanx for the welcome !

I did assign Service Account Token Creator role to the service that I am passing ('ServiceAccountName'). I have used Policy Troubleshooter to verify that the role is indeed present.

Yet this call : iamcredentials.googleapis.com/v1/projects/-/{serviceName}:signBlob?alt=json&prettyPrint=false
returns 403

Is it possible that Cloud Run doesn't have access to the service ?

Are there some other role I need to assign in order for this to work ?

Thanx !

robertcarlos

Hello @icepaco33,

Please check these links below in troubleshooting error 403 for the following services:

If the aforementioned steps didn't work, you may seek out the options below for additional assistance with regards to your concern:

Hope this helps.

julien_bisconti

Hi,

I had the same issue recently, it is an API that needs to be enabled in order to generate short live credentials.

Once the API is enabled, the Cloud Run service needs a service account with the correct role to that API: iamcredentials.googleapis.com

I hope it helps,

Julien

icepaco33

Hello @julien_bisconti Not sure I follow : can you tell me which API needs to be enabled or how I can find / figure it out ?

Thank you so much !

julien_bisconti

Sure. Go there: https://console.developers.google.com/apis/api/iamcredentials.googleapis.com/overview

Make sure you select the correct project.

Then make sure that the service account used in Cloud Run has the permission `iam.serviceAccounts.signBlob`. You should be good

If the service doesn't have a specific service account, you can create one: https://cloud.google.com/iam/docs/service-accounts-create

Give it a role https://cloud.google.com/iam/docs/manage-access-service-accounts#grant-single-role

The name of the role that should work for you is: roles/iam.serviceAccountTokenCreator

and assign it to your service (the security tab).

icepaco33

Hello @julien_bisconti

When I look on the YAML of the Cloud Run service I see this in :
spec:

serviceAccountName

Is this the service account that is suppose to have the role (roles/iam.serviceACcountTokenCreator) ?

Thanx

julien_bisconti

Hi @icepaco33 ,

Exactly. Every Cloud Run service has a service account (its identity basically) and that service account must have the role attached to it.

To assign a service account to a Cloud Run service, click edit on your service, click on the Security tab and select the service account that has that role.

To attach a role to a service account:

In the Google Cloud console, go to the Service accounts page.
Go to Service accounts
Select the project that owns the service account that you will attach to a resource.
Click the email address of the service account that you will attach to a resource.
Go to the Permissions tab and find the section Principals with access to this service account.
Click Grant access, and then enter the email address of the service agent.
Click Select a role, type Service Account Token Creator, and click the role.
Click Save to save your changes.
Optional: If you need to grant the role to another service agent, repeat the previous steps.

icepaco33

Ok I think we're going somewhere here ...

When I go on Cloud Run -> Autorisation I indeed see I can add principal services...

However if I add a principal with the Token Creator role, that role is not transfered to the Cloud Run service. Most of the other roles (even owner, editor ...) are transfered but not the Token Creator role...

Something I didn't mentionned before : I auto build my Cloud Run service using Cloud Build

# Deploy to Cloud Run

- name: 'gcr.io/cloud-builders/gcloud@sha256:5c1a7c7be5d5b589166de56940b8a9e1fbb45f085ee8aba1a48ad33bbcc0ba1f'

args: ['run', 'deploy', '${SHORT_SHA}',

'--image=something

'--region=us-central1', '--allow-unauthenticated', '--execution-environment=gen2',

'--set-env-vars=APP_URL=something, GOOGLE_CLOUD_PROJECT=$PROJECT_ID'

Thanx !!

icepaco33

Ok so turns out that the problem was that I didn't specify the

SERVICE_NAME
var when I launched the cloud run (see post above). By specifying the service name with the proper role, everything is working just fine...

andreeacovaciu

What do you suggest to store in that var? The service account?

icepaco33

You need to store whatever service has the role you want... In this instance we need : iam.serviceAccounts.signBlob

andreeacovaciu

Right. Did that and no effect. I used iam policy and it kind of worked

icepaco33

You're going to have to give us a lot more info ...

Are you deploying to Google Run ?

What do you mean by kinda work ?
What are you trying to achieve ?