How can I create a signed URL for Google Cloud Storage with a project level service account?

Question

For every Google Compute instance, there is a default service account like this:

1234567890123-compute@developer.gserviceaccount.com

I can create my instance with the proper scope (i.e. https://www.googleapis.com/auth/devstorage.full_control) and use this account to make API requests.

On this page: https://cloud.google.com/storage/docs/authentication#service_accounts it says:

Every project has a service account associated with it, which may be used for authentication and to enable advanced features such as Signed URLs and browser uploads using POST.

This implies that I can use this service account to created Signed URLs. However, I have no idea how to create a signed URL with this service account since I can't seem to get the private key (.p12 file) associated with this account.

I can create a new, separate service account from the developer console, and that has the option of downloading a .p12 file for signing, but the project level service accounts do not appear under the "APIs and auth / Credentials" section. I can see them under "Project / Permissions", but I can't do anything with them there.

Am I missing some other way to retrieve the private key for these default accounts, or is there no way to sign urls when using them?

Answer 1

You can use p12 key of any of your service account while you're authenticated through your main account or a GCE service account or other services accounts that have appropriate permissions on the bucket and the file.

In this case, just create a service account download p12 key and use the following command to sign your URL:

$ gsutil signurl -d 10m privatekey.p12 gs://bucket/foo

Though you can authenticate using different service account using the following command:

gcloud auth activate-service-account service-account-email --key-file key.p12

You can list and switch your accounts using these commands:

$ gcloud auth list
$ gcloud config set account