On GAE: "pyOpenSSL must be installed to load a private key"

[kvdb]

I've tried gcloud 0.10.0 on the local dev_appserver.py. While I've got the same problem as reported in #1436, I've got an additional exception too:

File "/x/libs/gcloud/storage/blob.py", line 233, in generate_signed_url
  generation=generation)
File "/x/libs/gcloud/credentials.py", line 379, in generate_signed_url
  string_to_sign)
File "/x/libs/gcloud/credentials.py", line 267, in _get_signed_query_params
  signature_bytes = _get_signature_bytes(credentials, string_to_sign)
File "/x/libs/gcloud/credentials.py", line 215, in _get_signature_bytes
  pkey = _get_pem_key(credentials)
File "/x/libs/gcloud/credentials.py", line 191, in _get_pem_key
  'pyOpenSSL must be installed to load a private key')

EnvironmentError: pyOpenSSL must be installed to load a private key

That problem seems to be related to PR #1338.

[dhermes]

This is a code-path I didn't anticipate, since in production GAE the code would just use

Do you have custom code for using service accounts with dev_appserver? I've been meaning to (#574) document how this works but have never tried it.

Also, I need to just push this functionality into oauth2client and not depend (at least not in an explicit way) on any of the Crypto libraries. oauth2client would be able to do this just fine with PyCrypto, but only ServiceAccountCredentials implements sign_blob (as of 2.0.0) so it's as simple as implementing that method on the GCE and GAE credentials classes and then deleting all of our custom code.

[kvdb]

Not sure if I understand you correctly, but we're using this code in GAE to setup GCS. Hope it helps:

    project = app_identity.get_application_id()                             
    client = storage.Client.from_service_account_json(                      
        'service_account.json', project)                                           
    bucket = client.get_bucket(bucket)           
    blob = bucket.blob(fname)                                         

We're not using the appidentity parameters for dev_appserver.

[dhermes]

Got it. I figured you were using

from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
# OR
from oauth2client.contrib.appengine import AppAssertionCredentials
credentials = AppAssertionCredentials([])

RE: "We're not using the appidentity parameters for dev_appserver."

Does this mean you use 'service_account.json' in the dev_appserver but use the GAE service account in production?

[theacodes]

Does this mean you use 'service_account.json' in the dev_appserver but use the GAE service account in production?

I wrote lots of projects that used service_account.json in both environments, as it's currently the only way to do domain-wide delegation of authority.

[dhermes]

Yeah I am going to push our auth / signing stuff upstream today (finally). Won't drop pyOpenSSL from setup.py but this will at least keep GAE from being b0rken.

[dhermes]

FYI once googleapis/oauth2client#421 is in, we can tear out most of the auth code in gcloud-python. Yay (sort of!)

[kvdb]

@dhermes: we're using the same service_account.json in dev_appserver as well as in production.

[dhermes]

@kvdb This should work just fine now. Please let me know if it does not.