Storage: add support for signing URLs using IAM / tokens.

[tseaver]

/cc @frankyn. Follow-on from PR #7460; see also issue #922.

Currently, Blob.generate_signed_url can only be used where the blob's client has tokens which support signing (i.e., service accounts, GAE accounts). Although such credentials are widespread, they are not ubiquitous: in particular, the default credentials available on GCE do not support signing.

An alternate implementation is available using the IAM service and access tokens. For an outline, see the Ruby PoC for V4 signing.

For this issue, please adapt that implementation for both V2 and V4 signed URLs.

[tseaver]

google-auth 1.5.0 added support for creating IAM-based signing credentials on a GCE instance. I think this works to pass to the generate_signed_url methods:

from google.auth.compute_engine.credentials import IDTokenCredential

token_creds = IDTokenCredential(
    request=blob.client._http,
    target_audience="https://storage.googleapis.com",  # is that the right URL?
)
url = blob.generate_signed_url(credentials=token_creds)

@frankyn Is that support sufficient for this issue?

[frankyn]

Thanks @tseaver, I think allowing a user to provide credentials is reasonable.

I want to have the method to use the type of ADC the client is using to perform signing.

[VJalili]

@tseaver @frankyn any suggestions on the easiest approach for signing blob using oauth2client.client.AccessTokenCredentials or access token?

[HemangChothani]

@crwilcox Should i add a system test for the feature, if yes than i need to update noxfile.py for google-cloud-iam installation which is used to generate_access_token , is it ok to update noxfile.py .
please guide.

[crwilcox]

I think this is a good idea. Please add iam as a dependency in nox for system test runs. If we decide later we don't want to take it we can always move it to a sample, but it would be good to have a live usage.