diff options
author | Florian Klink <flokli@flokli.de> | 2021-04-29T14·02+0200 |
---|---|---|
committer | Vincent Ambo <mail@tazj.in> | 2021-04-29T21·55+0200 |
commit | 7e8295189bbcd4a30ea684c65c0a3c343d4842a9 (patch) | |
tree | 661de1dfb2ee264b08882f569c4c79a5d7462ae7 /tools/nixery | |
parent | 970f49223599ec124809ead7be0b61e3e30431f9 (diff) |
docs: document unset GOOGLE_APPLICATION_CREDENTIALS
In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a redirect to storage.googleapis.com is issued, which means the underlying bucket objects need to be publicly accessible. This wasn't really obvious until now, so further clarify it.
Diffstat (limited to 'tools/nixery')
-rw-r--r-- | tools/nixery/README.md | 4 | ||||
-rw-r--r-- | tools/nixery/storage/gcs.go | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/tools/nixery/README.md b/tools/nixery/README.md index c701a0e62ee1..cebf28b58492 100644 --- a/tools/nixery/README.md +++ b/tools/nixery/README.md @@ -94,6 +94,10 @@ account key, Nixery will also use this key to create [signed URLs][] for layers in the storage bucket. This makes it possible to serve layers from a bucket without having to make them publicly available. +In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a +redirect to storage.googleapis.com is issued, which means the underlying bucket +objects need to be publicly accessible. + ### Storage Nixery supports multiple different storage backends in which its build cache and diff --git a/tools/nixery/storage/gcs.go b/tools/nixery/storage/gcs.go index eac34461af76..a4bb4ba31f67 100644 --- a/tools/nixery/storage/gcs.go +++ b/tools/nixery/storage/gcs.go @@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) { // Signing the URL allows unauthenticated clients to retrieve objects from the // bucket. // +// In case signing is not configured, a redirect to storage.googleapis.com is +// issued, which means the underlying bucket objects need to be publicly +// accessible. +// // The Docker client is known to follow redirects, but this might not be true // for all other registry clients. func (b *GCSBackend) constructLayerUrl(digest string) (string, error) { |