经过大量的研究和实验,我根本无法获得谷歌云存储签名的URL来下载一些简单的东西。我一定错过了一些基本的东西。以下是Python中的核心代码:
from google.cloud import storage
def file_get_url(bucket_name, blob_name):
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
blob = bucket.blob(blob_name)
url = blob.generate_signed_url(version="v4", expiration=datetime.timedelta(hours=5), method="GET")
return url
调用file_get_url('test-bucketrqu', 'vzu8kd2'),其中blob"vzu8kd2"包含字符串hello,返回https://storage.googleapis.com/test-bucketrqu/vzu8kd2?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=%2F20220925%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20220925T222429Z&X-Goog-Expires=18000&X-Goog-SignedHeaders=host&X-Goog-Signature=42a0d1d2294ad058c8fbf4113a0286301d37f30c79820513e3eb2cb69960992e8221261168d95b86ff7a5ac0eb5869ee78cd2e7dc1cc51cf06f565742e549eab12f945f8cdfa7776fdde3cbbfb6f60a81a72858c4d2f9b6335d0c6ef6b48900dc8334749bbda789cc96d624bc7dada8d7fb5772e013b576cd65c0da114ef4a67a7316c1b0d08d78c510237a02b14023b63452f1e2fc7bdabd93fe60e5e6d1fd3e6989bf7841efb36ddc500082e2d879719579e361b7145d70b2cd4989dd6bbba3d39eee391a91108cdc62095492e73d0c17bf9f4ba10d226bcbaaf0f8962a4dc60c7750d37e88cde77c6cd9200c460034958cb779b6611398abf21c5105bad89
将该URL粘贴到我的浏览器栏中会返回
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message>
<StringToSign>GOOG4-RSA-SHA256 20220925T222429Z 20220925/auto/storage/goog4_request 829ae54cd525fc4940f686e6bee4170599644aa7238e90f4085ba4e56dc0a98b</StringToSign>
<CanonicalRequest>GET /test-bucketrqu/vzu8kd2 X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=%2F20220925%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20220925T222429Z&X-Goog-Expires=18000&X-Goog-SignedHeaders=host host:storage.googleapis.com host UNSIGNED-PAYLOAD</CanonicalRequest>
</Error>
不确定这是否重要,但我正在本地开发机器上使用GOOGLE_APPLICATION_CREDENTIALS环境变量运行此程序,该变量具有Owner角色的帐户的用户凭据。作为对评论的回应,我在角色中添加了Storage Admin和Service Account Token Creator,在绝望中等待了几分钟后,撤销并重新拨打了gcloud auth application-default login,但无济于事。
签名URL用于服务帐户,而不是用户帐户。使用从本地开发环境生成签名URL
- 创建服务帐户
- 以该服务帐户登录并保持
GOOGLE_APPLICATION_CREDENTIALS未设置,或者下载JSON密钥文件并设置GOOGLE_APPLICATION_CREDENTIALS指向它