google-cloud-storage 1.26.1 → 1.29.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9083f05d349c2e50228481a762993db7250f193118f4012e8ba0b6b2036a7e1e
4
- data.tar.gz: 4d217ea587ff127e0359b099de79e2bf0115632eb53be81b97fb8e1b2e63cc28
3
+ metadata.gz: 9d4a2aa4fb9f98b7c0e842d436fe23e66d44af1f47afaba5cb3feea37dc7a04e
4
+ data.tar.gz: 53e4761ea01664572d9e5f39d90d41ef2726cf9879ef8cda51b77c395e5fa4a2
5
5
  SHA512:
6
- metadata.gz: f330d5447ebf7b013156306bdd768d1706843f12158923a3c31b60a7e54fc549f43848085db410e3b7542841e4443ada762e42b3d722f35a1038d43505c9be3f
7
- data.tar.gz: e803bc25863cfdea1b9fc50fccd9db7cb0d0aef652540253704fc74452bb1f95c0537b51ecd96ba764bc431046c0f4297bf682dfb435302e706ea574f4859d80
6
+ metadata.gz: 378453a678dd7d46d92454773c8c564a206dfbfdaa7ac35b828f889e7c0b378d7beaf951d631dd0a8714bb105db9221d53a8536d2ed8a89a323799f932bf1cb7
7
+ data.tar.gz: 9707109d71ed6e4f0fb07d0260cfb5ece5f5f1018731b0b2a9ff3a369dd84804c4e154572589d34329fb962b3ee62fa120e8b4faad274ab6635c98ee5f760f4d
@@ -102,8 +102,14 @@ To configure your system for this, simply:
102
102
  2. Authenticate using OAuth 2.0 `$ gcloud auth login`
103
103
  3. Write code as if already authenticated.
104
104
 
105
- **NOTE:** This is _not_ recommended for running in production. The Cloud SDK
106
- *should* only be used during development.
105
+ **NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
106
+ production. The Cloud SDK *should* only be used during development.
107
+
108
+ **NOTE:** The use of Cloud SDK credentials may not support certain methods such as
109
+ those that produce
110
+ [signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
111
+ post objects. For these methods, authentication using a service account JSON key file
112
+ is required.
107
113
 
108
114
  [gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
109
115
  [dev-console]: https://console.cloud.google.com/project
@@ -1,5 +1,64 @@
1
1
  # Release History
2
2
 
3
+ ### 1.29.1 / 2020-10-05
4
+
5
+ #### Bug Fixes
6
+
7
+ * Fix encoding of space characters in file names in signed_url v4
8
+
9
+ #### Documentation
10
+
11
+ * Update Bucket#default_kms_key= docs
12
+ * Demonstrate deleting the Cloud KMS encryption key
13
+ * Update customer-supplied encryption key docs and examples ([#7851](https://www.github.com/googleapis/google-cloud-ruby/issues/7851))
14
+
15
+ ### 1.29.0 / 2020-09-22
16
+
17
+ #### Features
18
+
19
+ * quota_project can be set via library configuration ([#7656](https://www.github.com/googleapis/google-cloud-ruby/issues/7656))
20
+
21
+ #### Bug Fixes
22
+
23
+ * Fix encoding of space characters in #signed_url version: :v4
24
+ * Fix encoding of space characters to use percent encoding (%20) instead of plus sign (+).
25
+
26
+ #### Documentation
27
+
28
+ * Add custom time to file metadata sample
29
+
30
+ ### 1.28.0 / 2020-08-26
31
+
32
+ * Add Object Lifecycle Management fields
33
+ * Add custom_time_before to Lifecycle::Rule
34
+ * Add days_since_custom_time to Lifecycle::Rule
35
+ * Add days_since_noncurrent_time to Lifecycle::Rule
36
+ * Add noncurrent_time_before to Lifecycle::Rule
37
+ * Add File#custom_time and #custom_time=
38
+
39
+ ### 1.27.0 / 2020-07-29
40
+
41
+ #### Features
42
+
43
+ * Add support for signing URLs with IAMCredentials SignBlob API
44
+ * Add signer parameter accepting Procs to the following methods:
45
+ * Project#signed_url
46
+ * Bucket#generate_signed_post_policy_v4
47
+ * Bucket#post_object
48
+ * Bucket#signed_url
49
+ * File#signed_url
50
+ * Update signer aliases signing_key and private_key to similarly support Procs
51
+
52
+ #### Documentation
53
+
54
+ * Update documentation of SignedUrlUnavailable
55
+
56
+ ### 1.26.2 / 2020-05-28
57
+
58
+ #### Documentation
59
+
60
+ * Fix a few broken links
61
+
3
62
  ### 1.26.1 / 2020-05-06
4
63
 
5
64
  #### Bug Fixes
@@ -24,14 +24,8 @@ improved, *please* create a new issue on GitHub so we can talk about it.
24
24
 
25
25
  - [New issue][gh-ruby]
26
26
 
27
- Or, you can ask questions on the [Google Cloud Platform Slack][slack-ruby]. You
28
- can use the "ruby" channel for general Ruby questions, or use the
29
- "google-cloud-ruby" channel if you have questions about this gem in particular.
30
-
31
27
  [so-ruby]: http://stackoverflow.com/questions/tagged/google-cloud-platform+ruby+storage
32
28
 
33
- [gh-search-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
34
-
35
- [gh-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues/new
29
+ [gh-search-ruby]: https://github.com/googleapis/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
36
30
 
37
- [slack-ruby]: https://gcp-slack.appspot.com/
31
+ [gh-ruby]: https://github.com/googleapis/google-cloud-ruby/issues/new
@@ -136,6 +136,7 @@ Google::Cloud.configure.add_config! :storage do |config|
136
136
  allow_nil: true
137
137
  config.add_alias! :keyfile, :credentials
138
138
  config.add_field! :scope, nil, match: [String, Array]
139
+ config.add_field! :quota_project, nil, match: String
139
140
  config.add_field! :retries, nil, match: Integer
140
141
  config.add_field! :timeout, nil, match: Integer
141
142
  # TODO: Remove once discovery document is updated.
@@ -93,7 +93,8 @@ module Google
93
93
  Storage::Project.new(
94
94
  Storage::Service.new(
95
95
  project_id, credentials,
96
- retries: retries, timeout: timeout, host: endpoint
96
+ retries: retries, timeout: timeout, host: endpoint,
97
+ quota_project: configure.quota_project
97
98
  )
98
99
  )
99
100
  end
@@ -557,7 +557,8 @@ module Google
557
557
  # Set the Cloud KMS encryption key that will be used to protect files.
558
558
  # For example: `projects/a/locations/b/keyRings/c/cryptoKeys/d`
559
559
  #
560
- # @param [String] new_default_kms_key New Cloud KMS key name.
560
+ # @param [String, nil] new_default_kms_key New Cloud KMS key name, or
561
+ # `nil` to delete the Cloud KMS encryption key.
561
562
  #
562
563
  # @example
563
564
  # require "google/cloud/storage"
@@ -571,6 +572,15 @@ module Google
571
572
  #
572
573
  # bucket.default_kms_key = kms_key_name
573
574
  #
575
+ # @example Delete the default Cloud KMS encryption key:
576
+ # require "google/cloud/storage"
577
+ #
578
+ # storage = Google::Cloud::Storage.new
579
+ #
580
+ # bucket = storage.bucket "my-bucket"
581
+ #
582
+ # bucket.default_kms_key = nil
583
+ #
574
584
  def default_kms_key= new_default_kms_key
575
585
  @gapi.encryption = API::Bucket::Encryption.new \
576
586
  default_kms_key_name: new_default_kms_key
@@ -1128,6 +1138,11 @@ module Google
1128
1138
  # @param [String] content_type The
1129
1139
  # [Content-Type](https://tools.ietf.org/html/rfc2616#section-14.17)
1130
1140
  # response header to be returned when the file is downloaded.
1141
+ # @param [DateTime] custom_time A custom time specified by the user for
1142
+ # the file. Once set, custom_time can't be unset, and it can only be
1143
+ # changed to a time in the future. If custom_time must be unset, you
1144
+ # must either perform a rewrite operation, or upload the data again
1145
+ # and create a new file.
1131
1146
  # @param [String] crc32c The CRC32c checksum of the file data, as
1132
1147
  # described in [RFC 4960, Appendix
1133
1148
  # B](http://tools.ietf.org/html/rfc4960#appendix-B).
@@ -1249,7 +1264,7 @@ module Google
1249
1264
  #
1250
1265
  def create_file file, path = nil, acl: nil, cache_control: nil,
1251
1266
  content_disposition: nil, content_encoding: nil,
1252
- content_language: nil, content_type: nil,
1267
+ content_language: nil, content_type: nil, custom_time: nil,
1253
1268
  crc32c: nil, md5: nil, metadata: nil,
1254
1269
  storage_class: nil, encryption_key: nil, kms_key: nil,
1255
1270
  temporary_hold: nil, event_based_hold: nil
@@ -1264,6 +1279,7 @@ module Google
1264
1279
  md5: md5,
1265
1280
  cache_control: cache_control,
1266
1281
  content_type: content_type,
1282
+ custom_time: custom_time,
1267
1283
  content_disposition: content_disposition,
1268
1284
  crc32c: crc32c,
1269
1285
  content_encoding: content_encoding,
@@ -1406,7 +1422,7 @@ module Google
1406
1422
  # A {SignedUrlUnavailable} is raised if the service account credentials
1407
1423
  # are missing. Service account credentials are acquired by following the
1408
1424
  # steps in [Service Account Authentication](
1409
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1425
+ # https://cloud.google.com/iam/docs/service-accounts).
1410
1426
  #
1411
1427
  # @see https://cloud.google.com/storage/docs/access-control/signed-urls
1412
1428
  # Signed URLs guide
@@ -1433,10 +1449,22 @@ module Google
1433
1449
  # use the signed URL.
1434
1450
  # @param [String] issuer Service Account's Client Email.
1435
1451
  # @param [String] client_email Service Account's Client Email.
1436
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1437
- # Private Key.
1438
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1439
- # Private Key.
1452
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1453
+ # Private Key or a Proc that accepts a single String parameter and returns a
1454
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1455
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1456
+ # Private Key or a Proc that accepts a single String parameter and returns a
1457
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1458
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1459
+ # Private Key or a Proc that accepts a single String parameter and returns a
1460
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1461
+ #
1462
+ # When using this method in environments such as GAE Flexible Environment,
1463
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1464
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1465
+ # Proc should return a signature created using a RPC call to the
1466
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1467
+ # method as shown in the example below.
1440
1468
  # @param [Hash] query Query string parameters to include in the signed
1441
1469
  # URL. The given parameters are not verified by the signature.
1442
1470
  #
@@ -1462,7 +1490,12 @@ module Google
1462
1490
  # to create. Must be one of `:v2` or `:v4`. The default value is
1463
1491
  # `:v2`.
1464
1492
  #
1465
- # @return [String]
1493
+ # @return [String] The signed URL.
1494
+ #
1495
+ # @raise [SignedUrlUnavailable] If the service account credentials
1496
+ # are missing. Service account credentials are acquired by following the
1497
+ # steps in [Service Account Authentication](
1498
+ # https://cloud.google.com/iam/docs/service-accounts).
1466
1499
  #
1467
1500
  # @example
1468
1501
  # require "google/cloud/storage"
@@ -1493,6 +1526,40 @@ module Google
1493
1526
  # issuer: "service-account@gcloud.com",
1494
1527
  # signing_key: key
1495
1528
  #
1529
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1530
+ # require "google/cloud/storage"
1531
+ # require "google/apis/iamcredentials_v1"
1532
+ # require "googleauth"
1533
+ #
1534
+ # # Issuer is the service account email that the Signed URL will be signed with
1535
+ # # and any permission granted in the Signed URL must be granted to the
1536
+ # # Google Service Account.
1537
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1538
+ #
1539
+ # # Create a lambda that accepts the string_to_sign
1540
+ # signer = lambda do |string_to_sign|
1541
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1542
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1543
+ #
1544
+ # # Get the environment configured authorization
1545
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1546
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1547
+ #
1548
+ # request = {
1549
+ # "payload": string_to_sign,
1550
+ # }
1551
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1552
+ # response = iam_client.sign_service_account_blob resource, request, {}
1553
+ # response.signed_blob
1554
+ # end
1555
+ #
1556
+ # storage = Google::Cloud::Storage.new
1557
+ #
1558
+ # bucket_name = "my-todo-app"
1559
+ # file_path = "avatars/heidi/400x400.png"
1560
+ # url = storage.signed_url bucket_name, file_path,
1561
+ # method: "GET", issuer: issuer,
1562
+ # signer: signer
1496
1563
  # @example Using the `headers` option:
1497
1564
  # require "google/cloud/storage"
1498
1565
  #
@@ -1538,6 +1605,7 @@ module Google
1538
1605
  client_email: nil,
1539
1606
  signing_key: nil,
1540
1607
  private_key: nil,
1608
+ signer: nil,
1541
1609
  query: nil,
1542
1610
  scheme: "HTTPS",
1543
1611
  virtual_hosted_style: nil,
@@ -1547,30 +1615,32 @@ module Google
1547
1615
  version ||= :v2
1548
1616
  case version.to_sym
1549
1617
  when :v2
1550
- signer = File::SignerV2.from_bucket self, path
1551
- signer.signed_url method: method,
1552
- expires: expires,
1553
- headers: headers,
1554
- content_type: content_type,
1555
- content_md5: content_md5,
1556
- issuer: issuer,
1557
- client_email: client_email,
1558
- signing_key: signing_key,
1559
- private_key: private_key,
1560
- query: query
1618
+ sign = File::SignerV2.from_bucket self, path
1619
+ sign.signed_url method: method,
1620
+ expires: expires,
1621
+ headers: headers,
1622
+ content_type: content_type,
1623
+ content_md5: content_md5,
1624
+ issuer: issuer,
1625
+ client_email: client_email,
1626
+ signing_key: signing_key,
1627
+ private_key: private_key,
1628
+ signer: signer,
1629
+ query: query
1561
1630
  when :v4
1562
- signer = File::SignerV4.from_bucket self, path
1563
- signer.signed_url method: method,
1564
- expires: expires,
1565
- headers: headers,
1566
- issuer: issuer,
1567
- client_email: client_email,
1568
- signing_key: signing_key,
1569
- private_key: private_key,
1570
- query: query,
1571
- scheme: scheme,
1572
- virtual_hosted_style: virtual_hosted_style,
1573
- bucket_bound_hostname: bucket_bound_hostname
1631
+ sign = File::SignerV4.from_bucket self, path
1632
+ sign.signed_url method: method,
1633
+ expires: expires,
1634
+ headers: headers,
1635
+ issuer: issuer,
1636
+ client_email: client_email,
1637
+ signing_key: signing_key,
1638
+ private_key: private_key,
1639
+ signer: signer,
1640
+ query: query,
1641
+ scheme: scheme,
1642
+ virtual_hosted_style: virtual_hosted_style,
1643
+ bucket_bound_hostname: bucket_bound_hostname
1574
1644
  else
1575
1645
  raise ArgumentError, "version '#{version}' not supported"
1576
1646
  end
@@ -1591,7 +1661,7 @@ module Google
1591
1661
  # A {SignedUrlUnavailable} is raised if the service account credentials
1592
1662
  # are missing. Service account credentials are acquired by following the
1593
1663
  # steps in [Service Account Authentication](
1594
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1664
+ # https://cloud.google.com/iam/docs/service-accounts).
1595
1665
  #
1596
1666
  # @see https://cloud.google.com/storage/docs/xml-api/post-object
1597
1667
  #
@@ -1608,12 +1678,28 @@ module Google
1608
1678
  # for more information.
1609
1679
  # @param [String] issuer Service Account's Client Email.
1610
1680
  # @param [String] client_email Service Account's Client Email.
1611
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1612
- # Private Key.
1613
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1614
- # Private Key.
1681
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1682
+ # Private Key or a Proc that accepts a single String parameter and returns a
1683
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1684
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1685
+ # Private Key or a Proc that accepts a single String parameter and returns a
1686
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1687
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1688
+ # Private Key or a Proc that accepts a single String parameter and returns a
1689
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1690
+ #
1691
+ # When using this method in environments such as GAE Flexible Environment,
1692
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1693
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1694
+ # Proc should return a signature created using a RPC call to the
1695
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1696
+ # method as shown in the example below.
1697
+ # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
1615
1698
  #
1616
- # @return [PostObject]
1699
+ # @raise [SignedUrlUnavailable] If the service account credentials
1700
+ # are missing. Service account credentials are acquired by following the
1701
+ # steps in [Service Account Authentication](
1702
+ # https://cloud.google.com/iam/docs/service-accounts).
1617
1703
  #
1618
1704
  # @example
1619
1705
  # require "google/cloud/storage"
@@ -1673,19 +1759,61 @@ module Google
1673
1759
  # post.fields[:signature] #=> "ABC...XYZ="
1674
1760
  # post.fields[:policy] #=> "ABC...XYZ="
1675
1761
  #
1762
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1763
+ # require "google/cloud/storage"
1764
+ # require "google/apis/iamcredentials_v1"
1765
+ # require "googleauth"
1766
+ #
1767
+ # # Issuer is the service account email that the Signed URL will be signed with
1768
+ # # and any permission granted in the Signed URL must be granted to the
1769
+ # # Google Service Account.
1770
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1771
+ #
1772
+ # # Create a lambda that accepts the string_to_sign
1773
+ # signer = lambda do |string_to_sign|
1774
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1775
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1776
+ #
1777
+ # # Get the environment configured authorization
1778
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1779
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1780
+ #
1781
+ # request = {
1782
+ # "payload": string_to_sign,
1783
+ # }
1784
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1785
+ # response = iam_client.sign_service_account_blob resource, request, {}
1786
+ # response.signed_blob
1787
+ # end
1788
+ #
1789
+ # storage = Google::Cloud::Storage.new
1790
+ #
1791
+ # bucket = storage.bucket "my-todo-app"
1792
+ # post = bucket.post_object "avatars/heidi/400x400.png",
1793
+ # issuer: issuer,
1794
+ # signer: signer
1795
+ #
1796
+ # post.url #=> "https://storage.googleapis.com"
1797
+ # post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
1798
+ # post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
1799
+ # post.fields[:signature] #=> "ABC...XYZ="
1800
+ # post.fields[:policy] #=> "ABC...XYZ="
1801
+ #
1676
1802
  def post_object path,
1677
1803
  policy: nil,
1678
1804
  issuer: nil,
1679
1805
  client_email: nil,
1680
1806
  signing_key: nil,
1681
- private_key: nil
1807
+ private_key: nil,
1808
+ signer: nil
1682
1809
  ensure_service!
1683
- signer = File::SignerV2.from_bucket self, path
1684
- signer.post_object issuer: issuer,
1685
- client_email: client_email,
1686
- signing_key: signing_key,
1687
- private_key: private_key,
1688
- policy: policy
1810
+ sign = File::SignerV2.from_bucket self, path
1811
+ sign.post_object issuer: issuer,
1812
+ client_email: client_email,
1813
+ signing_key: signing_key,
1814
+ private_key: private_key,
1815
+ signer: signer,
1816
+ policy: policy
1689
1817
  end
1690
1818
 
1691
1819
  ##
@@ -1703,17 +1831,29 @@ module Google
1703
1831
  # A {SignedUrlUnavailable} is raised if the service account credentials
1704
1832
  # are missing. Service account credentials are acquired by following the
1705
1833
  # steps in [Service Account Authentication](
1706
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1834
+ # https://cloud.google.com/iam/docs/service-accounts).
1707
1835
  #
1708
1836
  # @see https://cloud.google.com/storage/docs/xml-api/post-object
1709
1837
  #
1710
1838
  # @param [String] path Path to the file in Google Cloud Storage.
1711
1839
  # @param [String] issuer Service Account's Client Email.
1712
1840
  # @param [String] client_email Service Account's Client Email.
1713
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1714
- # Private Key.
1715
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1716
- # Private Key.
1841
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1842
+ # Private Key or a Proc that accepts a single String parameter and returns a
1843
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1844
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1845
+ # Private Key or a Proc that accepts a single String parameter and returns a
1846
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1847
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1848
+ # Private Key or a Proc that accepts a single String parameter and returns a
1849
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1850
+ #
1851
+ # When using this method in environments such as GAE Flexible Environment,
1852
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1853
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1854
+ # Proc should return a signature created using a RPC call to the
1855
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1856
+ # method as shown in the example below.
1717
1857
  # @param [Integer] expires The number of seconds until the URL expires.
1718
1858
  # The default is 604800 (7 days).
1719
1859
  # @param [Hash] fields User-supplied form fields such as `acl`,
@@ -1733,6 +1873,11 @@ module Google
1733
1873
  #
1734
1874
  # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
1735
1875
  #
1876
+ # @raise [SignedUrlUnavailable] If the service account credentials
1877
+ # are missing. Service account credentials are acquired by following the
1878
+ # steps in [Service Account Authentication](
1879
+ # https://cloud.google.com/iam/docs/service-accounts).
1880
+ #
1736
1881
  # @example
1737
1882
  # require "google/cloud/storage"
1738
1883
  #
@@ -1752,11 +1897,56 @@ module Google
1752
1897
  # post.fields["x-goog-date"] #=> "20200128T000000Z"
1753
1898
  # post.fields["x-goog-signature"] #=> "4893a0e...cd82"
1754
1899
  #
1900
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1901
+ # require "google/cloud/storage"
1902
+ # require "google/apis/iamcredentials_v1"
1903
+ # require "googleauth"
1904
+ #
1905
+ # # Issuer is the service account email that the Signed URL will be signed with
1906
+ # # and any permission granted in the Signed URL must be granted to the
1907
+ # # Google Service Account.
1908
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1909
+ #
1910
+ # # Create a lambda that accepts the string_to_sign
1911
+ # signer = lambda do |string_to_sign|
1912
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1913
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1914
+ #
1915
+ # # Get the environment configured authorization
1916
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1917
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1918
+ #
1919
+ # request = {
1920
+ # "payload": string_to_sign,
1921
+ # }
1922
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1923
+ # response = iam_client.sign_service_account_blob resource, request, {}
1924
+ # response.signed_blob
1925
+ # end
1926
+ #
1927
+ # storage = Google::Cloud::Storage.new
1928
+ #
1929
+ # bucket = storage.bucket "my-todo-app"
1930
+ # conditions = [["starts-with", "$acl","public"]]
1931
+ # post = bucket.generate_signed_post_policy_v4(
1932
+ # "avatars/heidi/400x400.png", expires: 10,
1933
+ # conditions: conditions, issuer: issuer, signer: signer
1934
+ # )
1935
+ #
1936
+ # post.url #=> "https://storage.googleapis.com/my-todo-app/"
1937
+ # post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
1938
+ # post.fields["policy"] #=> "ABC...XYZ"
1939
+ # post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
1940
+ # post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
1941
+ # post.fields["x-goog-date"] #=> "20200128T000000Z"
1942
+ # post.fields["x-goog-signature"] #=> "4893a0e...cd82"
1943
+ #
1755
1944
  def generate_signed_post_policy_v4 path,
1756
1945
  issuer: nil,
1757
1946
  client_email: nil,
1758
1947
  signing_key: nil,
1759
1948
  private_key: nil,
1949
+ signer: nil,
1760
1950
  expires: nil,
1761
1951
  fields: nil,
1762
1952
  conditions: nil,
@@ -1764,17 +1954,18 @@ module Google
1764
1954
  virtual_hosted_style: nil,
1765
1955
  bucket_bound_hostname: nil
1766
1956
  ensure_service!
1767
- signer = File::SignerV4.from_bucket self, path
1768
- signer.post_object issuer: issuer,
1769
- client_email: client_email,
1770
- signing_key: signing_key,
1771
- private_key: private_key,
1772
- expires: expires,
1773
- fields: fields,
1774
- conditions: conditions,
1775
- scheme: scheme,
1776
- virtual_hosted_style: virtual_hosted_style,
1777
- bucket_bound_hostname: bucket_bound_hostname
1957
+ sign = File::SignerV4.from_bucket self, path
1958
+ sign.post_object issuer: issuer,
1959
+ client_email: client_email,
1960
+ signing_key: signing_key,
1961
+ private_key: private_key,
1962
+ signer: signer,
1963
+ expires: expires,
1964
+ fields: fields,
1965
+ conditions: conditions,
1966
+ scheme: scheme,
1967
+ virtual_hosted_style: virtual_hosted_style,
1968
+ bucket_bound_hostname: bucket_bound_hostname
1778
1969
  end
1779
1970
 
1780
1971
  ##