signer

# File activestorage/lib/active_storage/service/gcs_service.rb, line 211
      def signer
        # https://googleapis.dev/ruby/google-cloud-storage/latest/Google/Cloud/Storage/Project.html#signed_url-instance_method
        lambda do |string_to_sign|
          iam_client = Google::Apis::IamcredentialsV1::IAMCredentialsService.new

          # We explicitly do not set iam_client.authorization so that it uses the
          # credentials set by the application at Google::Apis::RequestOptions.default.authorization.
          # If the application does not set it, the GCP libraries will automatically
          # determine it on each call. This code previously explicitly set the
          # authorization to Google::Auth.get_application_default which triggers
          # an explicit call to the metadata server - given this lambda is called
          # for a significant number of file operations, it can lead to considerable
          # tail latencies and even metadata server overloads. Additionally, that
          # prevented applications from being able to configure the credentials
          # used to perform the signature operation.

          request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
            payload: string_to_sign
          )
          resource = "projects/-/serviceAccounts/#{issuer}"
          response = iam_client.sign_service_account_blob(resource, request)
          response.signed_blob
        end
      end