From 7e8295189bbcd4a30ea684c65c0a3c343d4842a9 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Thu, 29 Apr 2021 16:02:26 +0200
Subject: docs: document unset GOOGLE_APPLICATION_CREDENTIALS

In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not
set, a redirect to storage.googleapis.com is issued, which means the
underlying bucket objects need to be publicly accessible.

This wasn't really obvious until now, so further clarify it.
---
 tools/nixery/storage/gcs.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'tools/nixery/storage')

diff --git a/tools/nixery/storage/gcs.go b/tools/nixery/storage/gcs.go
index eac34461af76..a4bb4ba31f67 100644
--- a/tools/nixery/storage/gcs.go
+++ b/tools/nixery/storage/gcs.go
@@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) {
 // Signing the URL allows unauthenticated clients to retrieve objects from the
 // bucket.
 //
+// In case signing is not configured, a redirect to storage.googleapis.com is
+// issued, which means the underlying bucket objects need to be publicly
+// accessible.
+//
 // The Docker client is known to follow redirects, but this might not be true
 // for all other registry clients.
 func (b *GCSBackend) constructLayerUrl(digest string) (string, error) {
-- 
cgit 1.4.1