docs: document unset GOOGLE_APPLICATION_CREDENTIALS

In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a redirect to storage.googleapis.com is issued, which means the underlying bucket objects need to be publicly accessible. This wasn't really obvious until now, so further clarify it.
2025-03-14 21:51:52 +00:00 · 2021-04-29 16:02:26 +02:00 · 2021-04-29 16:02:26 +02:00 · 8aef070dc6
commit 8aef070dc6
parent fd3dc4422f
2 changed files with 8 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -94,6 +94,10 @@ account key, Nixery will also use this key to create [signed URLs][] for layers
 in the storage bucket. This makes it possible to serve layers from a bucket
 without having to make them publicly available.

+In case the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is not set, a
+redirect to storage.googleapis.com is issued, which means the underlying bucket
+objects need to be publicly accessible.
+
 ### Storage

 Nixery supports multiple different storage backends in which its build cache and
--- a/storage/gcs.go
+++ b/storage/gcs.go
@ -222,6 +222,10 @@ func signingOptsFromEnv() (*storage.SignedURLOptions, error) {
 // Signing the URL allows unauthenticated clients to retrieve objects from the
 // bucket.
 //
+// In case signing is not configured, a redirect to storage.googleapis.com is
+// issued, which means the underlying bucket objects need to be publicly
+// accessible.
+//
 // The Docker client is known to follow redirects, but this might not be true
 // for all other registry clients.
 func (b *GCSBackend) constructLayerUrl(digest string) (string, error) {