blobstore.enable_signed_urls config property was first introduced in bosh v270.8 and the ubuntu-xenial 621.x stemcell.
Opting into this feature changes the agent to manage artifacts on the blobstore using signed URLs. The goal is to remove blobstore credentials from all bosh deployed vms and replace access with signed URLs granting scoped actions.
For the purpose of this feature, "supported stemcells" are ubuntu-xenial 621.x and later. Supported windows stemcells are coming soon.
Enabling the feature flag¶
This feature can be enabled by updating the bosh director manifest with the following properties:
blobstore.enable_signed_urls: Set this to true to have the director begin sending signed urls to the agent.
You must continue configuring
blobstore.* properties. Enabling signed URLs
should work alongside blobstore provider specific encryption options such as
blobstore.encryption_key (GCS) and
An ops-file in bosh-deployment can be used to enable signed urls. See: https://github.com/cloudfoundry/bosh-deployment/blob/master/enable-signed-urls.yml This ops-file assumes a DAV blobstore.
Removing blobstore credentials from agent VM¶
After turning on this feature flag, credentials may still be required on VM disks. This is because we cannot guarantee that all VMs are deployed with supported stemcells. The bosh-agent on past stemcells still requires blobstore credentials.
As an operator, you can remove credentials from deployment VMs by making the following changes:
- If all deployments are using supported stemcells, override
blobstoresto an empty array in the director manifest.
instance_groups: - name: bosh ... properties: agent: env: bosh: blobstores: 
- For deployments on supported stemcells, override individual deployment manifests with the following property:
instance_groups: - name: zookeeper ... properties: env: bosh: blobstores: 
- For deployments on unsupported stemcells, please do not make any blobstore
modifications as blobstore config may be coming from
blobstoresor your CPI.
For DAV blobstores, please also configure:
blobstore.secret: The secret used to calculate the signed urls' signature
Additionally, when updating
blobstore.enable_signed_urls from true to false,
the director will stop generating and sending signed urls to the agents. If you
update the property to false, you must also recreate all VMs managed by bosh
in order to propagate blobstore credentials to the VMs. If you do not recreate
the VMs, none of the agents will have blobstore credentials to correctly