fake-gcs-server: Signed URLs: Unable to authenticate with AnonymousCredentials

Hi, everyone!

When I generate Signed URLs using service-account.json issued from GCP the authentication succeeds, but when I try to use AnonymousCredentials() as credentials it does not work.

import datetime
import requests

from google.cloud import storage
from google.cloud.storage.blob import Blob
from google.oauth2 import service_account
from google.api_core.client_options import ClientOptions
from google.auth.credentials import AnonymousCredentials

def _get_client():
    _http = requests.Session()
    _http.verify = False

    # this works.
    # credentials = service_account.Credentials.from_service_account_file("path/to/service-account.json")

    return storage.Client(
        # credentials=credentials,
        credentials=AnonymousCredentials(),
        project="fake-gcs",
        _http=_http,
        client_options=ClientOptions(api_endpoint="http://fake-gcs:4443"),  # accsess from docker network
    )

def _replace_gcs_url(url):
    return url.replace("https://storage.googleapis.com/", "http://localhost:4443/")

blob = Blob.from_string("gs://path/to/resource", client=_get_client())
url = blob.generate_signed_url(
    version="v4",
    expiration=datetime.timedelta(
        seconds=60,
    ),
    method="GET",
)

url = _replace_gcs_url(url)

docker logs:

app                   | AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.credentials.AnonymousCredentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.

We would like to avoid getting GCS service-account.json in the local development environment as much as possible. Is there a better way to do this?