I'm trying to implement a function that will return signed Urls for Cloud Storage objects (I know it's beta and not officially supported for go yet).
I made it work locally with
url, err := storage.SignedURL(bucket, filename, &storage.SignedURLOptions{
GoogleAccessID: "my-service-account@my-project.iam.gserviceaccount.com",
PrivateKey: pkey,
Method: "GET",
Expires: time.Now().Add(90 * time.Minute),
Scheme: storage.SigningSchemeV4,
})
Everything works great and I use GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the my-service-account.json keyfile.
When I deploy the same code however to a cloud function, the generated urls will all return a 403 when trying to be accessed.
I do deploy the function with--service-account my-service-account@my-project.iam.gserviceaccount.com
and I can verify in the cloud console that the function is running under this service account.
From my understanding this should mean that both instances run under the same crendentials/permissions yet only the locally running produces valid URLs whereas the Cloud deployed version doesn't.
What am I missing here and how do I make it work?