Debian Question posted in
The oficial documentation can be found here.

403 trying to sign provided bytes: The caller does not have permission – Debian

POM file detail:

      <dependency>
    <groupId>com.google.auth</groupId>
    <artifactId>google-auth-library-appengine</artifactId>
</dependency>

1.2.4.RELEASE

Libs included in jar:
Line 643: Step #0: [INFO] Downloading from central: https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom
Line 643: Step #0: [INFO] Downloading from central: https://repo.maven.apache.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.21.1/google-auth-library-oauth2-http-0.21.1.pom

Environment details

  • OS: Debian
  • Java version: 11
  • google-auth-library-java version(s): 0.21.1

Steps to reproduce

  • upload a file in GCS bucket.
  • Try to download it using code given below.
    Stacktrace
com.google.auth.ServiceAccountSigner$SigningException: Failed to sign the provided bytes
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:87)
at com.google.auth.oauth2.ComputeEngineCredentials.sign(ComputeEngineCredentials.java:361)
at com.google.cloud.storage.StorageImpl.signUrl(StorageImpl.java:772)
at com.google.cloud.storage.Blob.signUrl(Blob.java:822)

Caused by: java.io.IOException: Error code 403 trying to sign provided bytes: The caller does not have permission
at com.google.auth.oauth2.IamUtils.getSignature(IamUtils.java:125)
at com.google.auth.oauth2.IamUtils.sign(IamUtils.java:84)
... 69 more

Code snippet

// [START auth_cloud_explicit_compute_engine]
public Storage authCompute() throws IOException {
// Explicitly request service account credentials from the compute engine
// instance.
//GoogleCredentials credentials = ComputeEngineCredentials.create();
GoogleCredentials credentials = ComputeEngineCredentials.getApplicationDefault();
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

    System.out.println("Buckets:");
    Page<Bucket> buckets = storage.list();
    for (Bucket bucket : buckets.iterateAll()) {
        System.out.println(bucket.toString());
    }
    return storage;
}
// [END auth_cloud_explicit_compute_engine]
Storage storage = authUtil.authCompute();
Blob blob = storage.get(BlobId.of(bucketName, objectName));
return blob.signUrl(urlExpirationTime, TimeUnit.MILLISECONDS);

My application is deployed on GKE. From there we are trying to download/get signed url a file i.e. stored in GCS.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The ComputeEngineCredentials uses IAM sign blob API call so the service account being used needs to have the iam.serviceAccounts.signBlob permission. Depending on your setup, this may be the default service account for the GKE or a workload identity.


  2. 0

    IAM Service Account Credentials API this api also needs to be enabled along with service account token creator access.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search