tustvold commented on code in PR #5300:
URL: https://github.com/apache/arrow-rs/pull/5300#discussion_r1550123938
##########
object_store/src/gcp/credential.rs:
##########
@@ -82,6 +93,69 @@ impl From<Error> for crate::Error {
}
}
+/// A Google Cloud Storage Credential for signing
+#[derive(Debug)]
+pub struct GcpSigningCredential {
+ /// The email of the service account
+ pub email: String,
+
+ /// An optional PEM-encoded RSA private key
+ ///
+ /// If provided this will be used to sign the URL, otherwise a call will
be made to
+ /// [`iam.serviceAccounts.signBlob`]. This allows supporting credential
sources
+ /// that don't expose the service account private key, e.g. [IMDS].
+ ///
+ /// [IMDS]:
https://cloud.google.com/docs/authentication/get-id-token#metadata-server
+ /// [`iam.serviceAccounts.signBlob`]:
https://cloud.google.com/storage/docs/authentication/creating-signatures
+ pub private_key: Option<ServiceAccountKey>,
+}
+
+/// A private RSA key for a service account
+#[derive(Debug)]
+pub struct ServiceAccountKey(RsaKeyPair);
Review Comment:
This prevents the ring types from leaking into the public API, whilst still
avoiding needing to parse the RSA key for every sign request
##########
object_store/src/gcp/credential.rs:
##########
@@ -295,21 +376,6 @@ fn seconds_since_epoch() -> u64 {
.as_secs()
}
-fn decode_first_rsa_key(private_key_pem: String) -> Result<RsaKeyPair> {
Review Comment:
Moving this into ServiceAccountKey avoids doing this multiple times
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
