google-cloud-storage 1.26.1 → 1.29.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9083f05d349c2e50228481a762993db7250f193118f4012e8ba0b6b2036a7e1e
-  data.tar.gz: 4d217ea587ff127e0359b099de79e2bf0115632eb53be81b97fb8e1b2e63cc28
+  metadata.gz: 9d4a2aa4fb9f98b7c0e842d436fe23e66d44af1f47afaba5cb3feea37dc7a04e
+  data.tar.gz: 53e4761ea01664572d9e5f39d90d41ef2726cf9879ef8cda51b77c395e5fa4a2
 SHA512:
-  metadata.gz: f330d5447ebf7b013156306bdd768d1706843f12158923a3c31b60a7e54fc549f43848085db410e3b7542841e4443ada762e42b3d722f35a1038d43505c9be3f
-  data.tar.gz: e803bc25863cfdea1b9fc50fccd9db7cb0d0aef652540253704fc74452bb1f95c0537b51ecd96ba764bc431046c0f4297bf682dfb435302e706ea574f4859d80
+  metadata.gz: 378453a678dd7d46d92454773c8c564a206dfbfdaa7ac35b828f889e7c0b378d7beaf951d631dd0a8714bb105db9221d53a8536d2ed8a89a323799f932bf1cb7
+  data.tar.gz: 9707109d71ed6e4f0fb07d0260cfb5ece5f5f1018731b0b2a9ff3a369dd84804c4e154572589d34329fb962b3ee62fa120e8b4faad274ab6635c98ee5f760f4d

data/AUTHENTICATION.md

@@ -102,8 +102,14 @@ To configure your system for this, simply:
 2. Authenticate using OAuth 2.0 `$ gcloud auth login`
 3. Write code as if already authenticated.
 
-**NOTE:** This is _not_ recommended for running in production. The Cloud SDK
-*should* only be used during development.
+**NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
+production. The Cloud SDK *should* only be used during development.
+
+**NOTE:** The use of Cloud SDK credentials may not support certain methods such as
+those that produce
+[signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
+post objects. For these methods, authentication using a service account JSON key file
+is required.
 
 [gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
 [dev-console]: https://console.cloud.google.com/project

data/CHANGELOG.md

@@ -1,5 +1,64 @@
 # Release History
 
+### 1.29.1 / 2020-10-05
+
+#### Bug Fixes
+
+* Fix encoding of space characters in file names in signed_url v4
+
+#### Documentation
+
+* Update Bucket#default_kms_key= docs
+  * Demonstrate deleting the Cloud KMS encryption key
+* Update customer-supplied encryption key docs and examples ([#7851](https://www.github.com/googleapis/google-cloud-ruby/issues/7851))
+
+### 1.29.0 / 2020-09-22
+
+#### Features
+
+* quota_project can be set via library configuration ([#7656](https://www.github.com/googleapis/google-cloud-ruby/issues/7656))
+
+#### Bug Fixes
+
+* Fix encoding of space characters in #signed_url version: :v4
+  * Fix encoding of space characters to use percent encoding (%20) instead of plus sign (+).
+
+#### Documentation
+
+* Add custom time to file metadata sample
+
+### 1.28.0 / 2020-08-26
+
+* Add Object Lifecycle Management fields
+  * Add custom_time_before to Lifecycle::Rule
+  * Add days_since_custom_time to Lifecycle::Rule
+  * Add days_since_noncurrent_time to Lifecycle::Rule
+  * Add noncurrent_time_before to Lifecycle::Rule
+  * Add File#custom_time and #custom_time=
+
+### 1.27.0 / 2020-07-29
+
+#### Features
+
+* Add support for signing URLs with IAMCredentials SignBlob API
+  * Add signer parameter accepting Procs to the following methods:
+    * Project#signed_url
+    * Bucket#generate_signed_post_policy_v4
+    * Bucket#post_object
+    * Bucket#signed_url
+    * File#signed_url
+  * Update signer aliases signing_key and private_key to similarly support Procs
+
+#### Documentation
+
+* Update documentation of SignedUrlUnavailable
+
+### 1.26.2 / 2020-05-28
+
+#### Documentation
+
+* Fix a few broken links
+
 ### 1.26.1 / 2020-05-06
 
 #### Bug Fixes

data/TROUBLESHOOTING.md

@@ -24,14 +24,8 @@ improved, *please* create a new issue on GitHub so we can talk about it.
 
   - [New issue][gh-ruby]
 
-Or, you can ask questions on the [Google Cloud Platform Slack][slack-ruby]. You
-can use the "ruby" channel for general Ruby questions, or use the
-"google-cloud-ruby" channel if you have questions about this gem in particular.
-
 [so-ruby]: http://stackoverflow.com/questions/tagged/google-cloud-platform+ruby+storage
 
-[gh-search-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
-
-[gh-ruby]: https://github.com/googlecloudplatform/google-cloud-ruby/issues/new
+[gh-search-ruby]: https://github.com/googleapis/google-cloud-ruby/issues?q=label%3A%22api%3A+storage%22
 
-[slack-ruby]: https://gcp-slack.appspot.com/
+[gh-ruby]: https://github.com/googleapis/google-cloud-ruby/issues/new

data/lib/google-cloud-storage.rb

@@ -136,6 +136,7 @@ Google::Cloud.configure.add_config! :storage do |config|
                     allow_nil: true
   config.add_alias! :keyfile, :credentials
   config.add_field! :scope, nil, match: [String, Array]
+  config.add_field! :quota_project, nil, match: String
   config.add_field! :retries, nil, match: Integer
   config.add_field! :timeout, nil, match: Integer
   # TODO: Remove once discovery document is updated.

data/lib/google/cloud/storage.rb

@@ -93,7 +93,8 @@ module Google
         Storage::Project.new(
           Storage::Service.new(
             project_id, credentials,
-            retries: retries, timeout: timeout, host: endpoint
+            retries: retries, timeout: timeout, host: endpoint,
+            quota_project: configure.quota_project
           )
         )
       end

data/lib/google/cloud/storage/bucket.rb

@@ -557,7 +557,8 @@ module Google
         # Set the Cloud KMS encryption key that will be used to protect files.
         # For example: `projects/a/locations/b/keyRings/c/cryptoKeys/d`
         #
-        # @param [String] new_default_kms_key New Cloud KMS key name.
+        # @param [String, nil] new_default_kms_key New Cloud KMS key name, or
+        #   `nil` to delete the Cloud KMS encryption key.
         #
         # @example
         #   require "google/cloud/storage"
@@ -571,6 +572,15 @@ module Google
         #
         #   bucket.default_kms_key = kms_key_name
         #
+        # @example Delete the default Cloud KMS encryption key:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.default_kms_key = nil
+        #
         def default_kms_key= new_default_kms_key
           @gapi.encryption = API::Bucket::Encryption.new \
             default_kms_key_name: new_default_kms_key
@@ -1128,6 +1138,11 @@ module Google
         # @param [String] content_type The
         #   [Content-Type](https://tools.ietf.org/html/rfc2616#section-14.17)
         #   response header to be returned when the file is downloaded.
+        # @param [DateTime] custom_time A custom time specified by the user for
+        #   the file. Once set, custom_time can't be unset, and it can only be
+        #   changed to a time in the future. If custom_time must be unset, you
+        #   must either perform a rewrite operation, or upload the data again
+        #   and create a new file.
         # @param [String] crc32c The CRC32c checksum of the file data, as
         #   described in [RFC 4960, Appendix
         #   B](http://tools.ietf.org/html/rfc4960#appendix-B).
@@ -1249,7 +1264,7 @@ module Google
         #
         def create_file file, path = nil, acl: nil, cache_control: nil,
                         content_disposition: nil, content_encoding: nil,
-                        content_language: nil, content_type: nil,
+                        content_language: nil, content_type: nil, custom_time: nil,
                         crc32c: nil, md5: nil, metadata: nil,
                         storage_class: nil, encryption_key: nil, kms_key: nil,
                         temporary_hold: nil, event_based_hold: nil
@@ -1264,6 +1279,7 @@ module Google
                                                        md5: md5,
                                                        cache_control: cache_control,
                                                        content_type: content_type,
+                                                       custom_time: custom_time,
                                                        content_disposition: content_disposition,
                                                        crc32c: crc32c,
                                                        content_encoding: content_encoding,
@@ -1406,7 +1422,7 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/access-control/signed-urls
         #   Signed URLs guide
@@ -1433,10 +1449,22 @@ module Google
         #   use the signed URL.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
         # @param [Hash] query Query string parameters to include in the signed
         #   URL. The given parameters are not verified by the signature.
         #
@@ -1462,7 +1490,12 @@ module Google
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
         #
-        # @return [String]
+        # @return [String] The signed URL.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1493,6 +1526,40 @@ module Google
         #                                  issuer: "service-account@gcloud.com",
         #                                  signing_key: key
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket_name = "my-todo-app"
+        #   file_path = "avatars/heidi/400x400.png"
+        #   url = storage.signed_url bucket_name, file_path,
+        #                            method: "GET", issuer: issuer,
+        #                            signer: signer
         # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
@@ -1538,6 +1605,7 @@ module Google
                        client_email: nil,
                        signing_key: nil,
                        private_key: nil,
+                       signer: nil,
                        query: nil,
                        scheme: "HTTPS",
                        virtual_hosted_style: nil,
@@ -1547,30 +1615,32 @@ module Google
           version ||= :v2
           case version.to_sym
           when :v2
-            signer = File::SignerV2.from_bucket self, path
-            signer.signed_url method: method,
-                              expires: expires,
-                              headers: headers,
-                              content_type: content_type,
-                              content_md5: content_md5,
-                              issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key,
-                              query: query
+            sign = File::SignerV2.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            content_type: content_type,
+                            content_md5: content_md5,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query
           when :v4
-            signer = File::SignerV4.from_bucket self, path
-            signer.signed_url method: method,
-                              expires: expires,
-                              headers: headers,
-                              issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key,
-                              query: query,
-                              scheme: scheme,
-                              virtual_hosted_style: virtual_hosted_style,
-                              bucket_bound_hostname: bucket_bound_hostname
+            sign = File::SignerV4.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query,
+                            scheme: scheme,
+                            virtual_hosted_style: virtual_hosted_style,
+                            bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end
@@ -1591,7 +1661,7 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/xml-api/post-object
         #
@@ -1608,12 +1678,28 @@ module Google
         #   for more information.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
+        # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
         #
-        # @return [PostObject]
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1673,19 +1759,61 @@ module Google
         #   post.fields[:signature] #=> "ABC...XYZ="
         #   post.fields[:policy] #=> "ABC...XYZ="
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   post = bucket.post_object "avatars/heidi/400x400.png",
+        #                             issuer: issuer,
+        #                             signer: signer
+        #
+        #   post.url #=> "https://storage.googleapis.com"
+        #   post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
+        #   post.fields[:signature] #=> "ABC...XYZ="
+        #   post.fields[:policy] #=> "ABC...XYZ="
+        #
         def post_object path,
                         policy: nil,
                         issuer: nil,
                         client_email: nil,
                         signing_key: nil,
-                        private_key: nil
+                        private_key: nil,
+                        signer: nil
           ensure_service!
-          signer = File::SignerV2.from_bucket self, path
-          signer.post_object issuer: issuer,
-                             client_email: client_email,
-                             signing_key: signing_key,
-                             private_key: private_key,
-                             policy: policy
+          sign = File::SignerV2.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           policy: policy
         end
 
         ##
@@ -1703,17 +1831,29 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/xml-api/post-object
         #
         # @param [String] path Path to the file in Google Cloud Storage.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
         # @param [Integer] expires The number of seconds until the URL expires.
         #   The default is 604800 (7 days).
         # @param [Hash] fields User-supplied form fields such as `acl`,
@@ -1733,6 +1873,11 @@ module Google
         #
         # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
         #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
+        #
         # @example
         #   require "google/cloud/storage"
         #
@@ -1752,11 +1897,56 @@ module Google
         #   post.fields["x-goog-date"] #=> "20200128T000000Z"
         #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = {
+        #       "payload": string_to_sign,
+        #     }
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request, {}
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4(
+        #     "avatars/heidi/400x400.png", expires: 10,
+        #     conditions: conditions, issuer: issuer, signer: signer
+        #   )
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
         def generate_signed_post_policy_v4 path,
                                            issuer: nil,
                                            client_email: nil,
                                            signing_key: nil,
                                            private_key: nil,
+                                           signer: nil,
                                            expires: nil,
                                            fields: nil,
                                            conditions: nil,
@@ -1764,17 +1954,18 @@ module Google
                                            virtual_hosted_style: nil,
                                            bucket_bound_hostname: nil
           ensure_service!
-          signer = File::SignerV4.from_bucket self, path
-          signer.post_object issuer: issuer,
-                             client_email: client_email,
-                             signing_key: signing_key,
-                             private_key: private_key,
-                             expires: expires,
-                             fields: fields,
-                             conditions: conditions,
-                             scheme: scheme,
-                             virtual_hosted_style: virtual_hosted_style,
-                             bucket_bound_hostname: bucket_bound_hostname
+          sign = File::SignerV4.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           expires: expires,
+                           fields: fields,
+                           conditions: conditions,
+                           scheme: scheme,
+                           virtual_hosted_style: virtual_hosted_style,
+                           bucket_bound_hostname: bucket_bound_hostname
         end
 
         ##