This page shows you how to use the Google Cloud signBlob method
to create a signature from a string-to-sign or policy document. Signatures
are used as credentials in certains requests, such as signed URLs. This
guide uses RSA keys for creating signatures.
Before you begin
Enable the Service Account Credentials API.
You must have the
iam.serviceAccounts.signBlobpermission for the service account that you use in this guide. Theiam.serviceAccounts.signBlobpermission is included in theroles/iam.serviceAccountTokenCreatorrole.The service account that you use in this guide must have permission to perform the request encoded within the signature. For example, if the signature will be used to read object data from a bucket, the service account must have permission to read the object data.
Create a signature
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorizationheader.Create a JSON file that contains the following information:
{ "payload": "REQUEST_INFORMATION" }
Where:
REQUEST_INFORMATIONis a string-to-sign or a policy document. For both, content must be base64-encoded.
Use
cURLto call the IAM API with asignBlobrequest:curl -X POST --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:signBlob"
Where:
JSON_FILE_NAMEis the name of the file you created in Step 2.SERVICE_ACCOUNT_EMAILis the email address of the service account you want to use to create the signature. For example,service-7550275089395@my-pet-project.iam.gserviceaccount.com.
If successful, the signature is returned in the signedBlob field in the
response.
What's next
- See the reference page for signing blobs with the Google Cloud CLI.
- Create a signed URL manually, using the signature you created.
- Create a signed URL with Google Cloud tools.
- Learn more about signatures.