Get a signed GCS URL when using Workload Identity

[pdilyard]

Google no longer recommends using JSON service account private keys, instead favoring Workload Identity federation. I have django-storages working in a GKE cluster using Workload Identity, and while files are able to be uploaded and downloaded, I am unable to get a signed URL for the files, instead I am getting this error when calling my_model_instance.my_file_field.url:

AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.

Is there a way to trick django-storages into just making the request for the URL? I believe what is happening is that it thinks it's using Compute Engine Default SA credentials, even though the request should get intercepted by workload identity and be successful. I could be wrong, however.

[sww314]

@pdilyard see #941 for a similar issue. I am using Cloud Run vs GKE, but get the same error. There are some work arounds and a link a stack overflow question that may help.

[codergolem]

Should this be issue set to resolved ? Now it is possible to generate signed urls with workload identity, I have tested this myself.

[SachinMaharana]

@codergolem DOes this work with workload identity? Do we need to use a different storage backend? I am still getting the same error