How do I generate signed URLs for GCS with workload identity in the C# SDK?

Question

I use workload id for all my GKE deployments.

I have an app that needs to generate signed URLs for GCS and it uses the C# SDK.

I see no docs on how to do this with workload id only static keys.

It looks like I might have to manually call SignBlob() and pass the SignBytes to SignedURL? Like this: https://seankhliao.com/blog/12021-08-25-gcp-signed-url-no-key/

Is this possible with the C# SDK?

Edit

See this github issue I opened asking for example snippets for the C# SDK: https://github.com/googleapis/google-api-dotnet-client/issues/2410

Answer 1

If by the C# SDK you mean Google.Cloud.Storage.V1 + Google.Apis.Auth then as of 2023-05-16, external account credentials (Workload ID) are not supported as URL signers and you need to use the IAM service to sign the blob yourself. You can find this information in the Google.Cloud.Storage.V1 library documentation:

Google.Apis.Auth.OAuth2.ServiceAccountCredential, Google.Apis.Auth.OAuth2.ComputeCredential and Google.Apis.Auth.OAuth2.ImpersonatedCredential are all supported credentials from which you can build a UrlSigner by calling the appropiate UrlSigner.FromCredential method overload. Google.Apis.Auth.OAuth2.GoogleCredential is also supported as long as the underlying credential is one of the supported specific types.

External account credentials are not currently supported for URL signing because it's not always possible to know client side which service account the credential maps back to, and that's a requirement (we would be calling the IAM service internally for this).

I'll discuss internally with the wider Auth team to consider supporting signing with an external account credential in cases where we know the underlying service account. Feel free to create an issue in https://github.com/googleapis/google-api-dotnet-client/issues where I can update back.