diff options
-rw-r--r-- | tools/nixery/README.md | 4 | ||||
-rw-r--r-- | tools/nixery/storage/gcs.go | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/tools/nixery/README.md b/tools/nixery/README.md index c701a0e62ee1..cebf28b58492 100644 --- a/tools/nixery/README.md +++ b/tools/nixery/README.md @@ -94,6 +94,10 @@ account key, Nixery will also use this key to create [signed URLs][] for layers in the storage bucket. This makes it possible to serve layers from a bucket without having to make them publicly available. +In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a +redirect to storage.googleapis.com is issued, which means the underlying bucket +objects need to be publicly accessible. + ### Storage Nixery supports multiple different storage backends in which its build cache and diff --git a/tools/nixery/storage/gcs.go b/tools/nixery/storage/gcs.go index eac34461af76..a4bb4ba31f67 100644 --- a/tools/nixery/storage/gcs.go +++ b/tools/nixery/storage/gcs.go @@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) { // Signing the URL allows unauthenticated clients to retrieve objects from the // bucket. // +// In case signing is not configured, a redirect to storage.googleapis.com is +// issued, which means the underlying bucket objects need to be publicly +// accessible. +// // The Docker client is known to follow redirects, but this might not be true // for all other registry clients. func (b *GCSBackend) constructLayerUrl(digest string) (string, error) { |