signed urls

So say you need to generate short lived urls granting access to a resource in GCP Cloud Storage, because one of your third party SaaS solutions doesn't integrate with GCP and their S3 integration is limited to actual AWS S3 and not just API compatible S3.

The Google documented way is to create a service account key and use that to sign URLs, but we don't want that: managing service account keys is a PITA.


Because you never create a key, you don't have anything to sign the url with. So you need to grant roles/iam.serviceAccountTokenCreator to allow the service to create tokens to sign things with.

If it's the service's identity is what has access to bucket contents, then you'll be granting it the role on itself.

In terraform format with workload identity:

resource "google_service_account" "your-sa" {
  account_id = "your-sa"
resource "google_service_account_iam_policy" "your-sa" {
  service_account_id =
  policy_data        = data.google_iam_policy.your-sa.policy_data
data "google_iam_policy" "your-sa" {
  binding {
    role = "roles/iam.workloadIdentityUser"
    members = [
  binding {
    role = "roles/iam.serviceAccountTokenCreator"
    members = [

internet version

Obviously someone else also wants to do this and dumped it in a gist.

my version

I thought it could be shorter, mainly taking advantage of the fact that all google api libraries know how to find/use default credentials.

package main

import (

        credentials ""
        credentialspb ""

func main() {
      ctx := context.Background()

        saEmail, _ := metadata.Email("default")
        iamClient, _ := credentials.NewIamCredentialsClient(ctx)
        defer iamClient.Close()

        u, _ := storage.SignedURL("bucket-name", "path/to/object", &storage.SignedURLOptions{
                GoogleAccessID: saEmail,
                SignBytes: func(b []byte) ([]byte, error) {
                        res, _ := iamClient.SignBlob(ctx, &credentialspb.SignBlobRequest{
                                Payload: b,
                                Name: saEmail,
                        return res.SignedBlob, nil
                Method: "GET",
                Expires: time.Now().Add(5*time.Minute)