about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFlorian Klink <flokli@flokli.de>2021-04-29T14·02+0200
committerVincent Ambo <mail@tazj.in>2021-04-29T21·55+0200
commit7e8295189bbcd4a30ea684c65c0a3c343d4842a9 (patch)
tree661de1dfb2ee264b08882f569c4c79a5d7462ae7
parent970f49223599ec124809ead7be0b61e3e30431f9 (diff)
docs: document unset GOOGLE_APPLICATION_CREDENTIALS
In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not
set, a redirect to storage.googleapis.com is issued, which means the
underlying bucket objects need to be publicly accessible.

This wasn't really obvious until now, so further clarify it.
-rw-r--r--tools/nixery/README.md4
-rw-r--r--tools/nixery/storage/gcs.go4
2 files changed, 8 insertions, 0 deletions
diff --git a/tools/nixery/README.md b/tools/nixery/README.md
index c701a0e62ee1..cebf28b58492 100644
--- a/tools/nixery/README.md
+++ b/tools/nixery/README.md
@@ -94,6 +94,10 @@ account key, Nixery will also use this key to create [signed URLs][] for layers
 in the storage bucket. This makes it possible to serve layers from a bucket
 without having to make them publicly available.
 
+In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a
+redirect to storage.googleapis.com is issued, which means the underlying bucket
+objects need to be publicly accessible.
+
 ### Storage
 
 Nixery supports multiple different storage backends in which its build cache and
diff --git a/tools/nixery/storage/gcs.go b/tools/nixery/storage/gcs.go
index eac34461af76..a4bb4ba31f67 100644
--- a/tools/nixery/storage/gcs.go
+++ b/tools/nixery/storage/gcs.go
@@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) {
 // Signing the URL allows unauthenticated clients to retrieve objects from the
 // bucket.
 //
+// In case signing is not configured, a redirect to storage.googleapis.com is
+// issued, which means the underlying bucket objects need to be publicly
+// accessible.
+//
 // The Docker client is known to follow redirects, but this might not be true
 // for all other registry clients.
 func (b *GCSBackend) constructLayerUrl(digest string) (string, error) {