google-cloud-storage 1.25.0 → 1.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a6c22c5d1bf15537e1a8d0b351074e67b32a9f77d70ae4febd9fac791ac1601
-  data.tar.gz: 3378d1c26298d5a6d985ca6b1c2f09f82e00f2303a6953b7b8ee0a077b3fa120
+  metadata.gz: c1c5fde2ed35606723e05c787ff96fd6ec31d7e06015e09bcac8dc0bc4b9ae05
+  data.tar.gz: bf1391389ff711934df5302f65cdf6136bad14b0a00865728da8fe3b549b3cbe
 SHA512:
-  metadata.gz: 6a3409354e221650f8893943755fd72050cd5cfa88960df584d98b9b57ad23ac5342a72857dd13528670ad93931514468e7f8b4dd29f537d4645ff3ca511adf7
-  data.tar.gz: 80cd7709621da535d303d2efd196ef4cddc97cd243d0a4f2400ffcd88cfc5ed113c21ca51ad9e928df1e81dd587b62859f220e90642dedfc761bc86251d1d3cd
+  metadata.gz: 1e7d9a97562357737322928a56f093ed42bc8f8015a06723c5e403c402367a89f56604eeefb2bbbf289a7dce5b84ee055f76f3d6ef6df6d987f7f05ed5eed5fe
+  data.tar.gz: 67046c8397a7e7fabf7b0a4d4e6501417ba815b55267e641a0ab51cdb233641e699348629a021763724aaca623e25a901395d77453b78fbc90ae67d4efca17b1

data/AUTHENTICATION.md

@@ -102,8 +102,14 @@ To configure your system for this, simply:
 2. Authenticate using OAuth 2.0 `$ gcloud auth login`
 3. Write code as if already authenticated.
 
-**NOTE:** This is _not_ recommended for running in production. The Cloud SDK
-*should* only be used during development.
+**NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
+production. The Cloud SDK *should* only be used during development.
+
+**NOTE:** The use of Cloud SDK credentials may not support certain methods such as
+those that produce
+[signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
+post objects. For these methods, authentication using a service account JSON key file
+is required.
 
 [gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
 [dev-console]: https://console.cloud.google.com/project

data/CHANGELOG.md

@@ -1,5 +1,58 @@
 # Release History
 
+### 1.27.0 / 2020-07-29
+
+#### Features
+
+* Add support for signing URLs with IAMCredentials SignBlob API
+  * Add signer parameter accepting Procs to the following methods:
+    * Project#signed_url
+    * Bucket#generate_signed_post_policy_v4
+    * Bucket#post_object
+    * Bucket#signed_url
+    * File#signed_url
+  * Update signer aliases signing_key and private_key to similarly support Procs
+
+#### Documentation
+
+* Update documentation of SignedUrlUnavailable
+
+### 1.26.2 / 2020-05-28
+
+#### Documentation
+
+* Fix a few broken links
+
+### 1.26.1 / 2020-05-06
+
+#### Bug Fixes
+
+* Add missing bucket condition in SignerV4#post_object
+* Ensure bucket is not returned in PostObject fields
+
+### 1.26.0 / 2020-04-06
+
+#### Features
+
+* Update V4 Signature support in Project#signed_url, Bucket#signed_url and File#signed_url
+  * Add scheme, virtual_hosted_style and bucket_bound_hostname to #signed_url methods
+  * Add support for V4 query param encoding and ordering
+  * Convert tabs in V4 to single whitespace character
+  * Set payload in V4 to X-Goog-Content-SHA256 if present
+  * Fix method param default value GET for #signed_url
+* Add support for V4 Signature POST Policies
+  * Add Bucket#generate_signed_post_policy_v4
+
+#### Bug Fixes
+
+* Address keyword argument warnings in Ruby 2.7 and later
+
+### 1.25.1 / 2020-01-06
+
+#### Documentation
+
+* Add ARCHIVE storage class
+
 ### 1.25.0 / 2019-12-12
 
 #### Features

data/TROUBLESHOOTING.md

@@ -24,14 +24,8 @@ improved, *please* create a new issue on GitHub so we can talk about it.
 
   - [New issue][gh-ruby]
 
-Or, you can ask questions on the [Google Cloud Platform Slack][slack-ruby]. You
-can use the "ruby" channel for general Ruby questions, or use the
-"google-cloud-ruby" channel if you have questions about this gem in particular.
-
 [so-ruby]: http://stackoverflow.com/questions/tagged/google-cloud-platform+ruby+storage
 
-[gh-search-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
-
-[gh-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues/new
+[gh-search-ruby]: https://github.com/googleapis/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
 
-[slack-ruby]: https://gcp-slack.appspot.com/
+[gh-ruby]: https://github.com/googleapis/google-cloud-ruby/issues/new

data/lib/google/cloud/storage/bucket.rb

@@ -357,7 +357,7 @@ module Google
         ##
         # The bucket's storage class. This defines how objects in the bucket are
         # stored and determines the SLA and the cost of storage. Values include
-        # `STANDARD`, `NEARLINE`, and `COLDLINE`. `REGIONAL`,`MULTI_REGIONAL`,
+        # `STANDARD`, `NEARLINE`, `COLDLINE`, and `ARCHIVE`. `REGIONAL`,`MULTI_REGIONAL`,
         # and `DURABLE_REDUCED_AVAILABILITY` are supported as legacy storage
         # classes.
         #
@@ -370,11 +370,11 @@ module Google
         ##
         # Updates the bucket's storage class. This defines how objects in the
         # bucket are stored and determines the SLA and the cost of storage.
-        # Accepted values include `:standard`, `:nearline`, and `:coldline`, as
-        # well as the equivalent strings returned by {Bucket#storage_class}.
-        # `:multi_regional`, `:regional`, and  `durable_reduced_availability`
-        # are accepted as legacy storage classes. For more information, see
-        # [Storage
+        # Accepted values include `:standard`, `:nearline`, `:coldline`, and
+        # `:archive`, as well as the equivalent strings returned by
+        # {Bucket#storage_class}. `:multi_regional`, `:regional`, and
+        # `durable_reduced_availability` are accepted as legacy storage classes.
+        # For more information, see [Storage
         # Classes](https://cloud.google.com/storage/docs/storage-classes).
         #
         # @param [Symbol, String] new_storage_class Storage class of the bucket.
@@ -1146,8 +1146,8 @@ module Google
         # @param [Symbol, String] storage_class Storage class of the file.
         #   Determines how the file is stored and determines the SLA and the
         #   cost of storage. Accepted values include `:standard`, `:nearline`,
-        #   and `:coldline`, as well as the equivalent strings returned by
-        #   {#storage_class}. `:multi_regional`, `:regional`, and
+        #   `:coldline`, and `:archive`, as well as the equivalent strings
+        #   returned by {#storage_class}. `:multi_regional`, `:regional`, and
         #   `durable_reduced_availability` are accepted legacy storage classes.
         #   For more information, see [Storage
         #   Classes](https://cloud.google.com/storage/docs/storage-classes)
@@ -1254,22 +1254,27 @@ module Google
                         storage_class: nil, encryption_key: nil, kms_key: nil,
                         temporary_hold: nil, event_based_hold: nil
           ensure_service!
-          options = { acl: File::Acl.predefined_rule_for(acl), md5: md5,
-                      cache_control: cache_control, content_type: content_type,
-                      content_disposition: content_disposition, crc32c: crc32c,
-                      content_encoding: content_encoding, metadata: metadata,
-                      content_language: content_language, key: encryption_key,
-                      kms_key: kms_key,
-                      storage_class: storage_class_for(storage_class),
-                      temporary_hold: temporary_hold,
-                      event_based_hold: event_based_hold,
-                      user_project: user_project }
           ensure_io_or_file_exists! file
           path ||= file.path if file.respond_to? :path
           path ||= file if file.is_a? String
           raise ArgumentError, "must provide path" if path.nil?
 
-          gapi = service.insert_file name, file, path, options
+
+          gapi = service.insert_file name, file, path, acl: File::Acl.predefined_rule_for(acl),
+                                                       md5: md5,
+                                                       cache_control: cache_control,
+                                                       content_type: content_type,
+                                                       content_disposition: content_disposition,
+                                                       crc32c: crc32c,
+                                                       content_encoding: content_encoding,
+                                                       metadata: metadata,
+                                                       content_language: content_language,
+                                                       key: encryption_key,
+                                                       kms_key: kms_key,
+                                                       storage_class: storage_class_for(storage_class),
+                                                       temporary_hold: temporary_hold,
+                                                       event_based_hold: event_based_hold,
+                                                       user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias upload_file create_file
@@ -1368,9 +1373,6 @@ module Google
             raise ArgumentError, "must provide at least two source files"
           end
 
-          options = { acl: File::Acl.predefined_rule_for(acl),
-                      key: encryption_key,
-                      user_project: user_project }
           destination_gapi = nil
           if block_given?
             destination_gapi = API::Object.new
@@ -1378,8 +1380,11 @@ module Google
             yield updater
             updater.check_for_changed_metadata!
           end
-          gapi = service.compose_file name, sources, destination,
-                                      destination_gapi, options
+
+          acl_rule = File::Acl.predefined_rule_for acl
+          gapi = service.compose_file name, sources, destination, destination_gapi, acl: acl_rule,
+                                                                                    key: encryption_key,
+                                                                                    user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias compose_file compose
@@ -1401,7 +1406,7 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/access-control/signed-urls
         #   Signed URLs guide
@@ -1428,10 +1433,22 @@ module Google
         #   use the signed URL.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
         # @param [Hash] query Query string parameters to include in the signed
         #   URL. The given parameters are not verified by the signature.
         #
@@ -1440,11 +1457,29 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   For V4 signing, this also sets the `host` header in the canonicalized
+        #   extension headers to the virtual hosted-style host, unless that header is
+        #   supplied via the `headers` param. The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
         # @param [Symbol, String] version The version of the signed credential
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
         #
-        # @return [String]
+        # @return [String] The signed URL.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1475,6 +1510,40 @@ module Google
         #                                  issuer: "service-account@gcloud.com",
         #                                  signing_key: key
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket_name = "my-todo-app"
+        #   file_path = "avatars/heidi/400x400.png"
+        #   url = storage.signed_url bucket_name, file_path,
+        #                            method: "GET", issuer: issuer,
+        #                            signer: signer
         # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
@@ -1510,28 +1579,52 @@ module Google
         #   bucket = storage.bucket "my-todo-app"
         #   list_files_url = bucket.signed_url version: :v4
         #
-        def signed_url path = nil, method: nil, expires: nil, content_type: nil,
-                       content_md5: nil, headers: nil, issuer: nil,
-                       client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil, version: nil
+        def signed_url path = nil,
+                       method: "GET",
+                       expires: nil,
+                       content_type: nil,
+                       content_md5: nil,
+                       headers: nil,
+                       issuer: nil,
+                       client_email: nil,
+                       signing_key: nil,
+                       private_key: nil,
+                       signer: nil,
+                       query: nil,
+                       scheme: "HTTPS",
+                       virtual_hosted_style: nil,
+                       bucket_bound_hostname: nil,
+                       version: nil
           ensure_service!
           version ||= :v2
           case version.to_sym
           when :v2
-            signer = File::SignerV2.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, content_type: content_type,
-                              content_md5: content_md5, issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key, query: query
+            sign = File::SignerV2.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            content_type: content_type,
+                            content_md5: content_md5,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query
           when :v4
-            signer = File::SignerV4.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key, query: query
+            sign = File::SignerV4.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query,
+                            scheme: scheme,
+                            virtual_hosted_style: virtual_hosted_style,
+                            bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end
@@ -1552,28 +1645,45 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/xml-api/post-object
         #
         # @param [String] path Path to the file in Google Cloud Storage.
         # @param [Hash] policy The security policy that describes what
-        #   can and cannot be uploaded in the form. When provided,
-        #   the PostObject fields will include a Signature based on the JSON
-        #   representation of this Hash and the same policy in Base64 format.
+        #   can and cannot be uploaded in the form. When provided, the PostObject
+        #   fields will include a signature based on the JSON representation of
+        #   this hash and the same policy in Base64 format.
+        #
         #   If you do not provide a security policy, requests are considered
         #   to be anonymous and will only work with buckets that have granted
-        #   WRITE or FULL_CONTROL permission to anonymous users.
+        #   `WRITE` or `FULL_CONTROL` permission to anonymous users.
         #   See [Policy Document](https://cloud.google.com/storage/docs/xml-api/post-object#policydocument)
         #   for more information.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
-        #
-        # @return [PostObject]
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
+        # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1633,15 +1743,213 @@ module Google
         #   post.fields[:signature] #=> "ABC...XYZ="
         #   post.fields[:policy] #=> "ABC...XYZ="
         #
-        def post_object path, policy: nil, issuer: nil,
-                        client_email: nil, signing_key: nil,
-                        private_key: nil
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   post = bucket.post_object "avatars/heidi/400x400.png",
+        #                             issuer: issuer,
+        #                             signer: signer
+        #
+        #   post.url #=> "https://storage.googleapis.com"
+        #   post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
+        #   post.fields[:signature] #=> "ABC...XYZ="
+        #   post.fields[:policy] #=> "ABC...XYZ="
+        #
+        def post_object path,
+                        policy: nil,
+                        issuer: nil,
+                        client_email: nil,
+                        signing_key: nil,
+                        private_key: nil,
+                        signer: nil
           ensure_service!
+          sign = File::SignerV2.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           policy: policy
+        end
 
-          signer = File::SignerV2.from_bucket self, path
-          signer.post_object issuer: issuer, client_email: client_email,
-                             signing_key: signing_key, private_key: private_key,
-                             policy: policy
+        ##
+        # Generate a PostObject that includes the fields and url to
+        # upload objects via html forms.
+        #
+        # Generating a PostObject requires service account credentials,
+        # either by connecting with a service account when calling
+        # {Google::Cloud.storage}, or by passing in the service account
+        # `issuer` and `signing_key` values. Although the private key can
+        # be passed as a string for convenience, creating and storing
+        # an instance of `OpenSSL::PKey::RSA` is more efficient
+        # when making multiple calls to `generate_signed_post_policy_v4`.
+        #
+        # A {SignedUrlUnavailable} is raised if the service account credentials
+        # are missing. Service account credentials are acquired by following the
+        # steps in [Service Account Authentication](
+        # https://cloud.google.com/iam/docs/service-accounts).
+        #
+        # @see https://cloud.google.com/storage/docs/xml-api/post-object
+        #
+        # @param [String] path Path to the file in Google Cloud Storage.
+        # @param [String] issuer Service Account's Client Email.
+        # @param [String] client_email Service Account's Client Email.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
+        # @param [Integer] expires The number of seconds until the URL expires.
+        #   The default is 604800 (7 days).
+        # @param [Hash] fields User-supplied form fields such as `acl`,
+        #   `cache-control`, `success_action_status`, and `success_action_redirect`.
+        # @param [Array<Hash|Array>] conditions User-supplied policy conditions.
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
+        #
+        # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4 "avatars/heidi/400x400.png", expires: 10,
+        #                                                                             conditions: conditions
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4(
+        #     "avatars/heidi/400x400.png", expires: 10,
+        #     conditions: conditions, issuer: issuer, signer: signer
+        #   )
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
+        def generate_signed_post_policy_v4 path,
+                                           issuer: nil,
+                                           client_email: nil,
+                                           signing_key: nil,
+                                           private_key: nil,
+                                           signer: nil,
+                                           expires: nil,
+                                           fields: nil,
+                                           conditions: nil,
+                                           scheme: "https",
+                                           virtual_hosted_style: nil,
+                                           bucket_bound_hostname: nil
+          ensure_service!
+          sign = File::SignerV4.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           expires: expires,
+                           fields: fields,
+                           conditions: conditions,
+                           scheme: scheme,
+                           virtual_hosted_style: virtual_hosted_style,
+                           bucket_bound_hostname: bucket_bound_hostname
         end
 
         ##
@@ -2125,11 +2433,12 @@ module Google
         def create_notification topic, custom_attrs: nil, event_types: nil,
                                 prefix: nil, payload: nil
           ensure_service!
-          options = { custom_attrs: custom_attrs, event_types: event_types,
-                      prefix: prefix, payload: payload,
-                      user_project: user_project }
 
-          gapi = service.insert_notification name, topic, options
+          gapi = service.insert_notification name, topic, custom_attrs: custom_attrs,
+                                                          event_types: event_types,
+                                                          prefix: prefix,
+                                                          payload: payload,
+                                                          user_project: user_project
           Notification.from_gapi name, gapi, service, user_project: user_project
         end
         alias new_notification create_notification
@@ -2215,7 +2524,7 @@ module Google
           patch_args = Hash[attributes.map do |attr|
             [attr, @gapi.send(attr)]
           end]
-          patch_gapi = API::Bucket.new patch_args
+          patch_gapi = API::Bucket.new(**patch_args)
           @gapi = service.patch_bucket name, patch_gapi,
                                        user_project: user_project
           @lazy = nil