generate_signed_url allows create of urls with expiration greater than 7 days

[sww314]

Environment details

• OS type and version:
• Python version: Python 3.8.6
• pip version: pip 20.3.3
• google-cloud-storage version: Version: 1.37.1

Steps to reproduce

1. Generate a signed url with an expiration of more than 7 days in the future
2. Save it
3. Wait for 7+ days
4. Try to access the URL

Code example

    expiration = timedelta(seconds=45*86400)  #45 days
    signed_url = blob.generate_signed_url(
        expiration=expiration,
        service_account_email=service_account_email,
        access_token=credentials.token,
    )

Stack trace

After 7 days accessing the URL will result in this error:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message>
<StringToSign>GET 1629488504 /BUCKET_NAME/inspection-media/DSC00095.JPG</StringToSign>
</Error>

This used to work, but the documentation recently updated here, to include a warning instead of just saying
https://cloud.google.com/storage/docs/access-control/signed-urls-v2

This is a big issue for us. We generate exports of data including spreadsheets. Our customers want the access in these exports to work for more than 7 days.

• The documentation should be very clear that signed urls are invalid after 7 days with an error message that is not clear. I assume this is because the underlying key has been rotated out.
• The library should reject expiration dates to far in the future.

[shaffeeullah]

Hi @sww314 ,

Per security guidance, v4 signed URLs expire after a maximum of 7 days. v2 signed URLs using a Google-managed service account key will expire after 14 days when the service account is rotated. It is not recommended to use signed URLs to share files with another user permanently. In this case, we recommend giving them direct access to the file. If you would like your v2 signed URL to never expire (this is not recommended) you can deploy your app with a service account json file containing a private key.

[shaffeeullah]

Please reopen this issue if you have further questions.

[sww314]

@Shabirmean I do not think this should be closed.

• the library documentation does not match with how the system now works.
• generate_signed_url accepts values that are no longer allowed

This is a significant breaking change if you use signed urls and it is confusing to debug. Users of libraries like https://github.com/jschneier/django-storages will have things break.

[Shabirmean]

@Shabirmean I do not think this should be closed.

• the library documentation does not match with how the system now works.
• generate_signed_url accepts values that are no longer allowed

This is a significant breaking change if you use signed urls and it is confusing to debug. Users of libraries like https://github.com/jschneier/django-storages will have things break.

mentioning @shaffeeullah, because I believe @sww314 intended to tag you :)

[shaffeeullah]

Hi @sww314 ,

A signed URL with no version specified will default to v4.

python-storage/google/cloud/storage/blob.py

Line 586 in 0dbbb8a

helper = generate_signed_url_v4

If a value is passed to v4 signed url longer than 7 days, an exception is thrown

python-storage/google/cloud/storage/_signing.py

Lines 158 to 161 in 0dbbb8a

	if seconds > SEVEN_DAYS:
	raise ValueError(
	"Max allowed expiration interval is seven days {}".format(SEVEN_DAYS)
	)

Based on the repro steps you have provided, it seems that you are hitting this case. Is it possible that you are catching this error and that it is failing silently?