nodejs-storage: "Cannot sign data without `client_email`" for getSignedUrl

I’m trying to get a signed url from a storage bucket, but am getting a signing error. I have permission to read from the bucket, and have been able to stream its contents fine.

Code:

  ...

  const expires = new Date()
  expires.setSeconds(expires.getSeconds() + 30)

  const storage = new Storage({ projectId });

  storage
    .bucket(bucketName)
    .file(`${directory}/${packageName}`)
    .getSignedUrl({
      expires,
      action: 'read',
    })
    .then(url => {
      res.send(url)
      console.log(url)
    })
    .catch(console.log)

Error:

{ SigningError: Cannot sign data without `client_email`.
    at /Users/pikelnys/Desktop/code/gcs-project/api/node_modules/@google-cloud/storage/src/file.js:1784:16
    at Auth._signWithApi (/Users/pikelnys/Desktop/code/gcs-project/api/node_modules/google-auto-auth/index.js:331:7)
    at getCredentials (/Users/pikelnys/Desktop/code/gcs-project/api/node_modules/google-auto-auth/index.js:316:14)
    at googleAuthClient.getCredentials (/Users/pikelnys/Desktop/code/gcs-project/api/node_modules/google-auto-auth/index.js:194:9)
    at /Users/pikelnys/Desktop/code/gcs-project/api/node_modules/google-auth-library/build/src/auth/googleauth.js:602:67
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7) message: 'Cannot sign data without `client_email`.' }

Environment details

OS: macOS 10.13.4
Node.js version: 8.11.2
npm version: 6.4.1
@google-cloud/storage version: 1.7.0

Edit: I’m getting this in both a local environment (where I authenticate with gcloud auth application-default login) and while the code is deployed to cloud functions.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 12
Comments: 24 (7 by maintainers)

Links to this issue

@pinelab/vendure-plugin-invoices - npm

Commits related to this issue

docs: add note about using service account (#1217) The default account does not include `client_email`, which is necessary for signing. Note this for folks. see: https://github.com/googleapis/node... — committed to googleapis/nodejs-storage by bcoe 4 years ago

Most upvoted comments

Is this possible to authenticate without a keyfile?

+39

barocsi on May 10, 2019

Service account isn’t good for multi-stage environments and security. This should be reopened. You should be using the exposed environment that has the same values.

+36

ollyde on Nov 27, 2021

Hi @pikelnys.

You will have to specify keyFilename while creating the Storage object if you are deploying locally.

keyFilename is not required if you have deployed your code under the same project your Google Cloud Bucket was created. You just have to ensure you have the right access by having a look at your service-account-key.

This is well explained here

The error says cannot sign without client_email. client_email is available inside the service-account-key.json but was not provided while creating the object hence the error. This error would not have arrived had you deployed your code inside the same project as your Cloud Bucket was.

Here is a sample service-account-key.json file. Look for client_email in the file.

{
"type": "service_account",
"project_id": "[PROJECT-ID]",
"private_key_id": "[KEY-ID]"
"private_key": "-----BEGIN PRIVATE KEY-----\n[PRIVATE-KEY]\n-----END PRIVATE KEY-----\n",
"client_email": "[SERVICE-ACCOUNT-EMAIL]",
"client_id": "[CLIENT-ID]",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/[SERVICE-ACCOUNT-EMAIL]"
}

Steps to Follow.

Download the service account key in JSON format and specify its path inside keyFilename. Default service-account-key provided by Google has read-only access. So make sure if you want to write to your bucket you would have to change the permissions inside the service-account.

Here is the Google Codelab link for reference

var storage = new Storage({
  projectId: "your project id",
  keyFilename:"your-service-account-key.json"
});

Hope this resolves your issue.

+26

ujwalkagrawal on Nov 21, 2018

For anyone else that comes across this issue, here is a bit more info for posterity.

The GCP client libraries docs use the Storage libary as the example when leveraging ADC locally. The same docs also call out the fact that using service accounts locally is bad practice (see the Note in this section).

However, for some reason Google seems to contradict itself with the implementation of the getSignedUrl method and its corresponding endpoint. After a couple hours of debugging and re-reading the disparate and disconnected docs scattered all over the place, I found the source of the issue as documented here. V4 (and the legacy V2) signing requires usage of a service account.

It would be nice if Google would have bothered to call this out in the ADC docs where they use Storage as an example, or better yet, return the relevant instructions in the SigningError message, especially because they seemingly contradict themselves within the different docs on related topics.

Hope this helps someone!

+22

timbuckiii on Apr 9, 2023

I was getting “Cannot sign data without client_email” error when running firebase emulators:start.

I fixed it by setting up a service account and downloading the service account .json credentials file as service_account.json, then running GOOGLE_APPLICATION_CREDENTIALS="service_account.json" firebase emulators:start

+15

christiangenco on Feb 4, 2021

BUMP as there isn’t seem to be a way to deal with it via emulator without exposing dev/prod configs.

deimantasa on Nov 27, 2021

Got the issue and solved it thanks to this solution firebase-adminsdk-ov3eh@staging-louve.iam.gserviceaccount.com thanks @christiangenco

gbersac on May 4, 2023

Bump. Firebase emulator should emulate the environment, this appears to be a failure state

dwanderton on Jan 28, 2022

I recently wrote a Medium article describing a workaround I created for local development. There is also a git repo with my solution. Article | Repo I use IAM Credentials API coupled with a cloud function. Hope this helps someone.

jtrenton21 on Apr 19, 2023

Thanks @tritone, appreciate the response!

timbuckiii on Apr 13, 2023

Hey @timbuckiii and @ollyde , just wanted to note a couple things:

GCS does in fact support signing without having a local service account key file by using a GCE workload identity or service account impersonation to call signBlob. I definitely see that this could be clearer in the GCS docs and will file an internal issue to improve this.
The nodejs-storage library in particular does not yet have support for signing via service account impersonation. However, there is an open issue for this in the node auth library. Comment or follow along at googleapis/google-auth-library-nodejs#1443

Also, in the future, if you could open a new issue for any problems rather than commenting on a closed one, that would help us respond faster. Thanks!

tritone on Apr 12, 2023