google-cloud-storage 1.26.2 → 1.29.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e3be983e4030e7bf8ecdbf4b6c4e0af49cf5bd6c26874d656446e8222a34e05e
4
- data.tar.gz: 5cb3efb8d5fb429f11cab27251e2aeaffc27ad452559bedb655be9812ef15dbf
3
+ metadata.gz: ad286a8539024ffcee1d0239c7db682e3ddb4b6663e5e172354123fa607b96fc
4
+ data.tar.gz: 29e8c237d1f891d46bddea92ff3151a08c11c32e936376f040d50159668a8f69
5
5
  SHA512:
6
- metadata.gz: ddfc78d9663e563e52b23f44edf41bebc1b2935218fd3fb227d5ad055e50802e2298465b8f6560961e5dbafd34471782951870b09453a664193dd6c3fc8ca534
7
- data.tar.gz: 9fc5ff1f8ff4cf037e39bb6fb6b30f459d74c77adc08222bdbd3c6637b00c450a42b9563fed33ca1ac8cf4a6be7624c453d85fba82b643ae83e8c4c7390137e0
6
+ metadata.gz: b7121fbfee2ad413e88d6edfbe83c535a9b17173d2431919e72fed6e8f4eba4c94f84b64d588ade51f50d8f20556a8bef37c6ad8cdaeaca8d6fb58a280168825
7
+ data.tar.gz: 0cb221a85541a6af70d8be63dd137915110eda09295e9711c566ec669bd574376a1f0125c4ebc559efa0a19268569dc74cd2548891400501d9af6bdfe62da8ce
@@ -102,8 +102,14 @@ To configure your system for this, simply:
102
102
  2. Authenticate using OAuth 2.0 `$ gcloud auth login`
103
103
  3. Write code as if already authenticated.
104
104
 
105
- **NOTE:** This is _not_ recommended for running in production. The Cloud SDK
106
- *should* only be used during development.
105
+ **NOTE:** The use of Cloud SDK credentials is _not_ recommended for running in
106
+ production. The Cloud SDK *should* only be used during development.
107
+
108
+ **NOTE:** The use of Cloud SDK credentials may not support certain methods such as
109
+ those that produce
110
+ [signed URLs](https://cloud.google.com/storage/docs/access-control/signed-urls) and
111
+ post objects. For these methods, authentication using a service account JSON key file
112
+ is required.
107
113
 
108
114
  [gce-how-to]: https://cloud.google.com/compute/docs/authentication#using
109
115
  [dev-console]: https://console.cloud.google.com/project
@@ -1,5 +1,64 @@
1
1
  # Release History
2
2
 
3
+ ### 1.29.2 / 2020-12-14
4
+
5
+ #### Bug Fixes
6
+
7
+ * Fix support for #generate_signed_post_policy_v4 conditions
8
+
9
+ ### 1.29.1 / 2020-10-05
10
+
11
+ #### Bug Fixes
12
+
13
+ * Fix encoding of space characters in file names in signed_url v4
14
+
15
+ #### Documentation
16
+
17
+ * Update Bucket#default_kms_key= docs
18
+ * Demonstrate deleting the Cloud KMS encryption key
19
+ * Update customer-supplied encryption key docs and examples ([#7851](https://www.github.com/googleapis/google-cloud-ruby/issues/7851))
20
+
21
+ ### 1.29.0 / 2020-09-22
22
+
23
+ #### Features
24
+
25
+ * quota_project can be set via library configuration ([#7656](https://www.github.com/googleapis/google-cloud-ruby/issues/7656))
26
+
27
+ #### Bug Fixes
28
+
29
+ * Fix encoding of space characters in #signed_url version: :v4
30
+ * Fix encoding of space characters to use percent encoding (%20) instead of plus sign (+).
31
+
32
+ #### Documentation
33
+
34
+ * Add custom time to file metadata sample
35
+
36
+ ### 1.28.0 / 2020-08-26
37
+
38
+ * Add Object Lifecycle Management fields
39
+ * Add custom_time_before to Lifecycle::Rule
40
+ * Add days_since_custom_time to Lifecycle::Rule
41
+ * Add days_since_noncurrent_time to Lifecycle::Rule
42
+ * Add noncurrent_time_before to Lifecycle::Rule
43
+ * Add File#custom_time and #custom_time=
44
+
45
+ ### 1.27.0 / 2020-07-29
46
+
47
+ #### Features
48
+
49
+ * Add support for signing URLs with IAMCredentials SignBlob API
50
+ * Add signer parameter accepting Procs to the following methods:
51
+ * Project#signed_url
52
+ * Bucket#generate_signed_post_policy_v4
53
+ * Bucket#post_object
54
+ * Bucket#signed_url
55
+ * File#signed_url
56
+ * Update signer aliases signing_key and private_key to similarly support Procs
57
+
58
+ #### Documentation
59
+
60
+ * Update documentation of SignedUrlUnavailable
61
+
3
62
  ### 1.26.2 / 2020-05-28
4
63
 
5
64
  #### Documentation
@@ -45,7 +45,7 @@ there is a small amount of setup:
45
45
 
46
46
  ```sh
47
47
  $ cd google-cloud-storage/
48
- $ bundle exec rake bundleupdate
48
+ $ bundle install
49
49
  ```
50
50
 
51
51
  ## Console
@@ -136,6 +136,7 @@ Google::Cloud.configure.add_config! :storage do |config|
136
136
  allow_nil: true
137
137
  config.add_alias! :keyfile, :credentials
138
138
  config.add_field! :scope, nil, match: [String, Array]
139
+ config.add_field! :quota_project, nil, match: String
139
140
  config.add_field! :retries, nil, match: Integer
140
141
  config.add_field! :timeout, nil, match: Integer
141
142
  # TODO: Remove once discovery document is updated.
@@ -93,7 +93,8 @@ module Google
93
93
  Storage::Project.new(
94
94
  Storage::Service.new(
95
95
  project_id, credentials,
96
- retries: retries, timeout: timeout, host: endpoint
96
+ retries: retries, timeout: timeout, host: endpoint,
97
+ quota_project: configure.quota_project
97
98
  )
98
99
  )
99
100
  end
@@ -557,7 +557,8 @@ module Google
557
557
  # Set the Cloud KMS encryption key that will be used to protect files.
558
558
  # For example: `projects/a/locations/b/keyRings/c/cryptoKeys/d`
559
559
  #
560
- # @param [String] new_default_kms_key New Cloud KMS key name.
560
+ # @param [String, nil] new_default_kms_key New Cloud KMS key name, or
561
+ # `nil` to delete the Cloud KMS encryption key.
561
562
  #
562
563
  # @example
563
564
  # require "google/cloud/storage"
@@ -571,6 +572,15 @@ module Google
571
572
  #
572
573
  # bucket.default_kms_key = kms_key_name
573
574
  #
575
+ # @example Delete the default Cloud KMS encryption key:
576
+ # require "google/cloud/storage"
577
+ #
578
+ # storage = Google::Cloud::Storage.new
579
+ #
580
+ # bucket = storage.bucket "my-bucket"
581
+ #
582
+ # bucket.default_kms_key = nil
583
+ #
574
584
  def default_kms_key= new_default_kms_key
575
585
  @gapi.encryption = API::Bucket::Encryption.new \
576
586
  default_kms_key_name: new_default_kms_key
@@ -1128,6 +1138,11 @@ module Google
1128
1138
  # @param [String] content_type The
1129
1139
  # [Content-Type](https://tools.ietf.org/html/rfc2616#section-14.17)
1130
1140
  # response header to be returned when the file is downloaded.
1141
+ # @param [DateTime] custom_time A custom time specified by the user for
1142
+ # the file. Once set, custom_time can't be unset, and it can only be
1143
+ # changed to a time in the future. If custom_time must be unset, you
1144
+ # must either perform a rewrite operation, or upload the data again
1145
+ # and create a new file.
1131
1146
  # @param [String] crc32c The CRC32c checksum of the file data, as
1132
1147
  # described in [RFC 4960, Appendix
1133
1148
  # B](http://tools.ietf.org/html/rfc4960#appendix-B).
@@ -1249,7 +1264,7 @@ module Google
1249
1264
  #
1250
1265
  def create_file file, path = nil, acl: nil, cache_control: nil,
1251
1266
  content_disposition: nil, content_encoding: nil,
1252
- content_language: nil, content_type: nil,
1267
+ content_language: nil, content_type: nil, custom_time: nil,
1253
1268
  crc32c: nil, md5: nil, metadata: nil,
1254
1269
  storage_class: nil, encryption_key: nil, kms_key: nil,
1255
1270
  temporary_hold: nil, event_based_hold: nil
@@ -1264,6 +1279,7 @@ module Google
1264
1279
  md5: md5,
1265
1280
  cache_control: cache_control,
1266
1281
  content_type: content_type,
1282
+ custom_time: custom_time,
1267
1283
  content_disposition: content_disposition,
1268
1284
  crc32c: crc32c,
1269
1285
  content_encoding: content_encoding,
@@ -1406,7 +1422,7 @@ module Google
1406
1422
  # A {SignedUrlUnavailable} is raised if the service account credentials
1407
1423
  # are missing. Service account credentials are acquired by following the
1408
1424
  # steps in [Service Account Authentication](
1409
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1425
+ # https://cloud.google.com/iam/docs/service-accounts).
1410
1426
  #
1411
1427
  # @see https://cloud.google.com/storage/docs/access-control/signed-urls
1412
1428
  # Signed URLs guide
@@ -1433,10 +1449,22 @@ module Google
1433
1449
  # use the signed URL.
1434
1450
  # @param [String] issuer Service Account's Client Email.
1435
1451
  # @param [String] client_email Service Account's Client Email.
1436
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1437
- # Private Key.
1438
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1439
- # Private Key.
1452
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1453
+ # Private Key or a Proc that accepts a single String parameter and returns a
1454
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1455
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1456
+ # Private Key or a Proc that accepts a single String parameter and returns a
1457
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1458
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1459
+ # Private Key or a Proc that accepts a single String parameter and returns a
1460
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1461
+ #
1462
+ # When using this method in environments such as GAE Flexible Environment,
1463
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1464
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1465
+ # Proc should return a signature created using a RPC call to the
1466
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1467
+ # method as shown in the example below.
1440
1468
  # @param [Hash] query Query string parameters to include in the signed
1441
1469
  # URL. The given parameters are not verified by the signature.
1442
1470
  #
@@ -1462,7 +1490,12 @@ module Google
1462
1490
  # to create. Must be one of `:v2` or `:v4`. The default value is
1463
1491
  # `:v2`.
1464
1492
  #
1465
- # @return [String]
1493
+ # @return [String] The signed URL.
1494
+ #
1495
+ # @raise [SignedUrlUnavailable] If the service account credentials
1496
+ # are missing. Service account credentials are acquired by following the
1497
+ # steps in [Service Account Authentication](
1498
+ # https://cloud.google.com/iam/docs/service-accounts).
1466
1499
  #
1467
1500
  # @example
1468
1501
  # require "google/cloud/storage"
@@ -1493,6 +1526,40 @@ module Google
1493
1526
  # issuer: "service-account@gcloud.com",
1494
1527
  # signing_key: key
1495
1528
  #
1529
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1530
+ # require "google/cloud/storage"
1531
+ # require "google/apis/iamcredentials_v1"
1532
+ # require "googleauth"
1533
+ #
1534
+ # # Issuer is the service account email that the Signed URL will be signed with
1535
+ # # and any permission granted in the Signed URL must be granted to the
1536
+ # # Google Service Account.
1537
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1538
+ #
1539
+ # # Create a lambda that accepts the string_to_sign
1540
+ # signer = lambda do |string_to_sign|
1541
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1542
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1543
+ #
1544
+ # # Get the environment configured authorization
1545
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1546
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1547
+ #
1548
+ # request = {
1549
+ # "payload": string_to_sign,
1550
+ # }
1551
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1552
+ # response = iam_client.sign_service_account_blob resource, request, {}
1553
+ # response.signed_blob
1554
+ # end
1555
+ #
1556
+ # storage = Google::Cloud::Storage.new
1557
+ #
1558
+ # bucket_name = "my-todo-app"
1559
+ # file_path = "avatars/heidi/400x400.png"
1560
+ # url = storage.signed_url bucket_name, file_path,
1561
+ # method: "GET", issuer: issuer,
1562
+ # signer: signer
1496
1563
  # @example Using the `headers` option:
1497
1564
  # require "google/cloud/storage"
1498
1565
  #
@@ -1538,6 +1605,7 @@ module Google
1538
1605
  client_email: nil,
1539
1606
  signing_key: nil,
1540
1607
  private_key: nil,
1608
+ signer: nil,
1541
1609
  query: nil,
1542
1610
  scheme: "HTTPS",
1543
1611
  virtual_hosted_style: nil,
@@ -1547,30 +1615,32 @@ module Google
1547
1615
  version ||= :v2
1548
1616
  case version.to_sym
1549
1617
  when :v2
1550
- signer = File::SignerV2.from_bucket self, path
1551
- signer.signed_url method: method,
1552
- expires: expires,
1553
- headers: headers,
1554
- content_type: content_type,
1555
- content_md5: content_md5,
1556
- issuer: issuer,
1557
- client_email: client_email,
1558
- signing_key: signing_key,
1559
- private_key: private_key,
1560
- query: query
1618
+ sign = File::SignerV2.from_bucket self, path
1619
+ sign.signed_url method: method,
1620
+ expires: expires,
1621
+ headers: headers,
1622
+ content_type: content_type,
1623
+ content_md5: content_md5,
1624
+ issuer: issuer,
1625
+ client_email: client_email,
1626
+ signing_key: signing_key,
1627
+ private_key: private_key,
1628
+ signer: signer,
1629
+ query: query
1561
1630
  when :v4
1562
- signer = File::SignerV4.from_bucket self, path
1563
- signer.signed_url method: method,
1564
- expires: expires,
1565
- headers: headers,
1566
- issuer: issuer,
1567
- client_email: client_email,
1568
- signing_key: signing_key,
1569
- private_key: private_key,
1570
- query: query,
1571
- scheme: scheme,
1572
- virtual_hosted_style: virtual_hosted_style,
1573
- bucket_bound_hostname: bucket_bound_hostname
1631
+ sign = File::SignerV4.from_bucket self, path
1632
+ sign.signed_url method: method,
1633
+ expires: expires,
1634
+ headers: headers,
1635
+ issuer: issuer,
1636
+ client_email: client_email,
1637
+ signing_key: signing_key,
1638
+ private_key: private_key,
1639
+ signer: signer,
1640
+ query: query,
1641
+ scheme: scheme,
1642
+ virtual_hosted_style: virtual_hosted_style,
1643
+ bucket_bound_hostname: bucket_bound_hostname
1574
1644
  else
1575
1645
  raise ArgumentError, "version '#{version}' not supported"
1576
1646
  end
@@ -1591,7 +1661,7 @@ module Google
1591
1661
  # A {SignedUrlUnavailable} is raised if the service account credentials
1592
1662
  # are missing. Service account credentials are acquired by following the
1593
1663
  # steps in [Service Account Authentication](
1594
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1664
+ # https://cloud.google.com/iam/docs/service-accounts).
1595
1665
  #
1596
1666
  # @see https://cloud.google.com/storage/docs/xml-api/post-object
1597
1667
  #
@@ -1608,12 +1678,28 @@ module Google
1608
1678
  # for more information.
1609
1679
  # @param [String] issuer Service Account's Client Email.
1610
1680
  # @param [String] client_email Service Account's Client Email.
1611
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1612
- # Private Key.
1613
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1614
- # Private Key.
1681
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1682
+ # Private Key or a Proc that accepts a single String parameter and returns a
1683
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1684
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1685
+ # Private Key or a Proc that accepts a single String parameter and returns a
1686
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1687
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1688
+ # Private Key or a Proc that accepts a single String parameter and returns a
1689
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1690
+ #
1691
+ # When using this method in environments such as GAE Flexible Environment,
1692
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1693
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1694
+ # Proc should return a signature created using a RPC call to the
1695
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1696
+ # method as shown in the example below.
1697
+ # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
1615
1698
  #
1616
- # @return [PostObject]
1699
+ # @raise [SignedUrlUnavailable] If the service account credentials
1700
+ # are missing. Service account credentials are acquired by following the
1701
+ # steps in [Service Account Authentication](
1702
+ # https://cloud.google.com/iam/docs/service-accounts).
1617
1703
  #
1618
1704
  # @example
1619
1705
  # require "google/cloud/storage"
@@ -1673,19 +1759,61 @@ module Google
1673
1759
  # post.fields[:signature] #=> "ABC...XYZ="
1674
1760
  # post.fields[:policy] #=> "ABC...XYZ="
1675
1761
  #
1762
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1763
+ # require "google/cloud/storage"
1764
+ # require "google/apis/iamcredentials_v1"
1765
+ # require "googleauth"
1766
+ #
1767
+ # # Issuer is the service account email that the Signed URL will be signed with
1768
+ # # and any permission granted in the Signed URL must be granted to the
1769
+ # # Google Service Account.
1770
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1771
+ #
1772
+ # # Create a lambda that accepts the string_to_sign
1773
+ # signer = lambda do |string_to_sign|
1774
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1775
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1776
+ #
1777
+ # # Get the environment configured authorization
1778
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1779
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1780
+ #
1781
+ # request = {
1782
+ # "payload": string_to_sign,
1783
+ # }
1784
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1785
+ # response = iam_client.sign_service_account_blob resource, request, {}
1786
+ # response.signed_blob
1787
+ # end
1788
+ #
1789
+ # storage = Google::Cloud::Storage.new
1790
+ #
1791
+ # bucket = storage.bucket "my-todo-app"
1792
+ # post = bucket.post_object "avatars/heidi/400x400.png",
1793
+ # issuer: issuer,
1794
+ # signer: signer
1795
+ #
1796
+ # post.url #=> "https://storage.googleapis.com"
1797
+ # post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
1798
+ # post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
1799
+ # post.fields[:signature] #=> "ABC...XYZ="
1800
+ # post.fields[:policy] #=> "ABC...XYZ="
1801
+ #
1676
1802
  def post_object path,
1677
1803
  policy: nil,
1678
1804
  issuer: nil,
1679
1805
  client_email: nil,
1680
1806
  signing_key: nil,
1681
- private_key: nil
1807
+ private_key: nil,
1808
+ signer: nil
1682
1809
  ensure_service!
1683
- signer = File::SignerV2.from_bucket self, path
1684
- signer.post_object issuer: issuer,
1685
- client_email: client_email,
1686
- signing_key: signing_key,
1687
- private_key: private_key,
1688
- policy: policy
1810
+ sign = File::SignerV2.from_bucket self, path
1811
+ sign.post_object issuer: issuer,
1812
+ client_email: client_email,
1813
+ signing_key: signing_key,
1814
+ private_key: private_key,
1815
+ signer: signer,
1816
+ policy: policy
1689
1817
  end
1690
1818
 
1691
1819
  ##
@@ -1703,17 +1831,29 @@ module Google
1703
1831
  # A {SignedUrlUnavailable} is raised if the service account credentials
1704
1832
  # are missing. Service account credentials are acquired by following the
1705
1833
  # steps in [Service Account Authentication](
1706
- # https://cloud.google.com/storage/docs/authentication#service_accounts).
1834
+ # https://cloud.google.com/iam/docs/service-accounts).
1707
1835
  #
1708
1836
  # @see https://cloud.google.com/storage/docs/xml-api/post-object
1709
1837
  #
1710
1838
  # @param [String] path Path to the file in Google Cloud Storage.
1711
1839
  # @param [String] issuer Service Account's Client Email.
1712
1840
  # @param [String] client_email Service Account's Client Email.
1713
- # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
1714
- # Private Key.
1715
- # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
1716
- # Private Key.
1841
+ # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
1842
+ # Private Key or a Proc that accepts a single String parameter and returns a
1843
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1844
+ # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
1845
+ # Private Key or a Proc that accepts a single String parameter and returns a
1846
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1847
+ # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
1848
+ # Private Key or a Proc that accepts a single String parameter and returns a
1849
+ # RSA SHA256 signature using a valid Google Service Account Private Key.
1850
+ #
1851
+ # When using this method in environments such as GAE Flexible Environment,
1852
+ # GKE, or Cloud Functions where the private key is unavailable, it may be
1853
+ # necessary to provide a Proc (or lambda) via the signer parameter. This
1854
+ # Proc should return a signature created using a RPC call to the
1855
+ # [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
1856
+ # method as shown in the example below.
1717
1857
  # @param [Integer] expires The number of seconds until the URL expires.
1718
1858
  # The default is 604800 (7 days).
1719
1859
  # @param [Hash] fields User-supplied form fields such as `acl`,
@@ -1733,6 +1873,11 @@ module Google
1733
1873
  #
1734
1874
  # @return [PostObject] An object containing the URL, fields, and values needed to upload files via html forms.
1735
1875
  #
1876
+ # @raise [SignedUrlUnavailable] If the service account credentials
1877
+ # are missing. Service account credentials are acquired by following the
1878
+ # steps in [Service Account Authentication](
1879
+ # https://cloud.google.com/iam/docs/service-accounts).
1880
+ #
1736
1881
  # @example
1737
1882
  # require "google/cloud/storage"
1738
1883
  #
@@ -1752,11 +1897,56 @@ module Google
1752
1897
  # post.fields["x-goog-date"] #=> "20200128T000000Z"
1753
1898
  # post.fields["x-goog-signature"] #=> "4893a0e...cd82"
1754
1899
  #
1900
+ # @example Using Cloud IAMCredentials signBlob to create the signature:
1901
+ # require "google/cloud/storage"
1902
+ # require "google/apis/iamcredentials_v1"
1903
+ # require "googleauth"
1904
+ #
1905
+ # # Issuer is the service account email that the Signed URL will be signed with
1906
+ # # and any permission granted in the Signed URL must be granted to the
1907
+ # # Google Service Account.
1908
+ # issuer = "service-account@project-id.iam.gserviceaccount.com"
1909
+ #
1910
+ # # Create a lambda that accepts the string_to_sign
1911
+ # signer = lambda do |string_to_sign|
1912
+ # IAMCredentials = Google::Apis::IamcredentialsV1
1913
+ # iam_client = IAMCredentials::IAMCredentialsService.new
1914
+ #
1915
+ # # Get the environment configured authorization
1916
+ # scopes = ["https://www.googleapis.com/auth/iam"]
1917
+ # iam_client.authorization = Google::Auth.get_application_default scopes
1918
+ #
1919
+ # request = {
1920
+ # "payload": string_to_sign,
1921
+ # }
1922
+ # resource = "projects/-/serviceAccounts/#{issuer}"
1923
+ # response = iam_client.sign_service_account_blob resource, request, {}
1924
+ # response.signed_blob
1925
+ # end
1926
+ #
1927
+ # storage = Google::Cloud::Storage.new
1928
+ #
1929
+ # bucket = storage.bucket "my-todo-app"
1930
+ # conditions = [["starts-with", "$acl","public"]]
1931
+ # post = bucket.generate_signed_post_policy_v4(
1932
+ # "avatars/heidi/400x400.png", expires: 10,
1933
+ # conditions: conditions, issuer: issuer, signer: signer
1934
+ # )
1935
+ #
1936
+ # post.url #=> "https://storage.googleapis.com/my-todo-app/"
1937
+ # post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
1938
+ # post.fields["policy"] #=> "ABC...XYZ"
1939
+ # post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
1940
+ # post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
1941
+ # post.fields["x-goog-date"] #=> "20200128T000000Z"
1942
+ # post.fields["x-goog-signature"] #=> "4893a0e...cd82"
1943
+ #
1755
1944
  def generate_signed_post_policy_v4 path,
1756
1945
  issuer: nil,
1757
1946
  client_email: nil,
1758
1947
  signing_key: nil,
1759
1948
  private_key: nil,
1949
+ signer: nil,
1760
1950
  expires: nil,
1761
1951
  fields: nil,
1762
1952
  conditions: nil,
@@ -1764,17 +1954,18 @@ module Google
1764
1954
  virtual_hosted_style: nil,
1765
1955
  bucket_bound_hostname: nil
1766
1956
  ensure_service!
1767
- signer = File::SignerV4.from_bucket self, path
1768
- signer.post_object issuer: issuer,
1769
- client_email: client_email,
1770
- signing_key: signing_key,
1771
- private_key: private_key,
1772
- expires: expires,
1773
- fields: fields,
1774
- conditions: conditions,
1775
- scheme: scheme,
1776
- virtual_hosted_style: virtual_hosted_style,
1777
- bucket_bound_hostname: bucket_bound_hostname
1957
+ sign = File::SignerV4.from_bucket self, path
1958
+ sign.post_object issuer: issuer,
1959
+ client_email: client_email,
1960
+ signing_key: signing_key,
1961
+ private_key: private_key,
1962
+ signer: signer,
1963
+ expires: expires,
1964
+ fields: fields,
1965
+ conditions: conditions,
1966
+ scheme: scheme,
1967
+ virtual_hosted_style: virtual_hosted_style,
1968
+ bucket_bound_hostname: bucket_bound_hostname
1778
1969
  end
1779
1970
 
1780
1971
  ##