From ef07ed149dffadb3a89fe89364ccd5e0d56e5223 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Mon, 15 Aug 2016 11:15:25 +1200 Subject: [PATCH] Add google_storage_object_signed_url documentation. --- .../data_source_storage_object_signed_url.go | 6 ++- .../google/d/signed_url.html.markdown | 54 +++++++++++++++++++ website/source/layouts/google.erb | 9 ++++ 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 website/source/docs/providers/google/d/signed_url.html.markdown diff --git a/builtin/providers/google/data_source_storage_object_signed_url.go b/builtin/providers/google/data_source_storage_object_signed_url.go index f39dcdf30..fa323359b 100644 --- a/builtin/providers/google/data_source_storage_object_signed_url.go +++ b/builtin/providers/google/data_source_storage_object_signed_url.go @@ -176,7 +176,7 @@ func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error return cfg, nil } - return nil, fmt.Errorf("Credentials not provided in resource or provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") + return nil, fmt.Errorf("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") } func guessUnixHomeDir() string { @@ -281,6 +281,7 @@ func (u *UrlData) BuildUrl() string { } func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { + // Parse private key pk, err := parsePrivateKey(cfg.PrivateKey) if err != nil { return nil, fmt.Errorf("could not parse key: %v\nKey:%s", err, string(cfg.PrivateKey)) @@ -290,9 +291,10 @@ func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { hasher := sha256.New() hasher.Write(toSign) + // Sign string signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil)) if err != nil { - return nil, fmt.Errorf("Error from signing: %s\n", err) + return nil, fmt.Errorf("error signing string: %s\n", err) } return signed, nil diff --git a/website/source/docs/providers/google/d/signed_url.html.markdown b/website/source/docs/providers/google/d/signed_url.html.markdown new file mode 100644 index 000000000..ff49e1d0a --- /dev/null +++ b/website/source/docs/providers/google/d/signed_url.html.markdown @@ -0,0 +1,54 @@ +--- +layout: "google" +page_title: "Google: google_storage_object_signed_url" +sidebar_current: "docs-google-datasource-signed_url" +description: |- + Provides signed URL to Google Cloud Storage object. +--- + +# google\_storage\_object\_signed_url + +The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account. + +For more info about signed URL's is available [here](https://cloud.google.com/storage/docs/access-control/signed-urls). + +## Example Usage + +``` +data "google_storage_object_signed_url" "artifact" { + bucket = "install_binaries" + path = "path/to/install_file.bin" + +} + +resource "google_compute_instance" "vm" { + name = "vm" + ... + + provisioner "remote-exec" { + inline = [ + "wget ${data.google_storage_object_signed_url.artifact.signed_url}", + "chmod +x install_file.bin", + "./install_file.bin" + ] + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `bucket` - (Required) The name of the bucket to read the object from +* `path` - (Required) The full path to the object inside the bucket +* `http_method` - (Optional) What HTTP Method will the signed URL allow (defaults to `GET`) +* `duration` - (Optional) For how long shall the signed URL be valid (defaults to 1 hour `1h`). See [here](https://golang.org/pkg/time/#ParseDuration) for info on valid duration formats. +* `credentials` - (Optional) What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source `credentials` attribute, provider `credentials` attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable. + +> **NOTE** the default google credentials configured by `gcloud` sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid `json` service account credentials key file must be used, as generated via Google cloud console. + +## Attributes Reference + +The following attributes are exported: + +* `signed_url` - The signed URL that can be used to access the storage object without authentication. diff --git a/website/source/layouts/google.erb b/website/source/layouts/google.erb index 494004458..206af3db2 100644 --- a/website/source/layouts/google.erb +++ b/website/source/layouts/google.erb @@ -10,6 +10,15 @@ Google Provider + > + Data Sources + + + > Google Compute Engine Resources