From a69371d46309b7b69c3a849f867c66aba4678c6c Mon Sep 17 00:00:00 2001
From: Tiger Kaovilai <tkaovila@redhat.com>
Date: Thu, 5 Oct 2023 10:23:43 -0400
Subject: [PATCH] Unbreak compute engine url signing

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

Remove doc assumptions that `GKE Workload Identity` = `Workload Identity Federation` and cannot generate signed URLs

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
---
 README.md                             | 2 --
 changelogs/unreleased/159-kaovilai    | 1 +
 velero-plugin-for-gcp/object_store.go | 6 ++++--
 3 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/unreleased/159-kaovilai

diff --git a/README.md b/README.md
index 61e0ecf..4dd4a89 100644
--- a/README.md
+++ b/README.md
@@ -175,8 +175,6 @@ This involves creating an external credential file and using it as `--secret-fil
 
 #### Option 3: Using GKE Workload Identity
 
-Keep in mind that [Workforce Identity Federation Users cannot generate signed URLs](https://cloud.google.com/iam/docs/federated-identity-supported-services#:~:text=workforce%20identity%20federation%20users%20cannot%20generate%20signed%20URLs.). This means, if you are using Workforce Identity Federation, you will not be able to run `velero backup logs`, `velero backup download`, `velero backup describe` and `velero restore describe`.
-
 This requires a GKE cluster with workload identity enabled.
 
 1. Create Velero Namespace
diff --git a/changelogs/unreleased/159-kaovilai b/changelogs/unreleased/159-kaovilai
new file mode 100644
index 0000000..b72f484
--- /dev/null
+++ b/changelogs/unreleased/159-kaovilai
@@ -0,0 +1 @@
+Regression fix: Unbreak signed urls for compute engine
\ No newline at end of file
diff --git a/velero-plugin-for-gcp/object_store.go b/velero-plugin-for-gcp/object_store.go
index a99909f..8a90157 100644
--- a/velero-plugin-for-gcp/object_store.go
+++ b/velero-plugin-for-gcp/object_store.go
@@ -301,8 +301,10 @@ func (o *ObjectStore) SignBytes(bytes []byte) ([]byte, error) {
 }
 
 func (o *ObjectStore) CreateSignedURL(bucket, key string, ttl time.Duration) (string, error) {
-	if o.fileCredType != serviceAccountKey {
-		return "", errors.New("cannot sign blob using non SA file credentials")
+	// googleAccessID is initialized from ServiceAccount key file and compute engine credentials.
+	// If using external_account credentials, googleAccessID will be empty and we cannot create signed URL.
+	if o.googleAccessID == "" {
+		return "", errors.New("GoogleAccessID is empty, perhaps using external_account credentials, cannot create signed URL")
 	}
 	options := storage.SignedURLOptions{
 		GoogleAccessID: o.googleAccessID,