Search code examples
macosgoogle-cloud-platformcommand-line-interfacegsutil

Keystore password? Huh?

I am attempting to create a GCP Signed URL using instructions here. When I run the gsutil command to create my signed-url I am immediately prompted to enter my "Keystore password". So this:

gsutil signurl -d 10m my-private-key.json gs://my-storage-bucket/index.html

results in this:

Keystore password: [I enter a wrong password]
Encountered an error while refreshing access token. If you are using a service account,
please verify that the gs_service_key_file field in your config file(s), /Users/my-user/.boto, /Users/my-user/.config/gcloud/legacy_credentials/my-gcp-user-email/.boto, is correct.

To be frank I haven't the slightest what my keystore password is or even what keystore it is talking about. Is it a local Mac keystore? Is it a GCP keystore? Something else?

Any clues as to what keystore is being referenced or even how I might go about changing the password to something else are appreciated.

Solution

  • Here's what the signurl documentation says:

    gsutil signurl [-c <content_type>] [-d <duration>] [-m <http_method>] \
   [-p <password>] [-r <region>] keystore-file url...

    [...]

    gsutil signurl <private-key-file> gs://some-bucket/some-object/

    The signurl command uses the private key for a service account (the '' argument) to generate the cryptographic signature for the generated URL. The private key file must be in PKCS12 or JSON format. If the private key is encrypted the signed url command will prompt for the passphrase used to protect the private key file (default 'notasecret'). For more information regarding generating a private key for use with the signurl command please see the Authentication documentation.

    So, the first argument after signurl, which in your question is my-private-key.json, is the keystore. It contains a private key.

    Usually we encrypt private keys so that they are harder to steal. So when you created my-private-key.json, you were probably asked for a passphrase, and the passphrase was used to encrypt the private key.

    But gsutil needs to decrypt the private key before it can use it to sign your URL. So gsutil needs the passphrase that was used to encrypt the private key. You need to enter that passphrase at the Keystore password: prompt. If you don't remember the passphrase you used to create the private key, then you will need to create a new private key.

    (Perhaps the passphrase is in fact “notasecret”?)