I created a Google App Engine application that listens for Google Cloud Storage notifications and whenever a new object is created in GCS, the application must open a new object and perform operations based on its contents. I cannot access the contents of the object when the application and the gcs bucket are in different projects.
Configuration:
I created a service account in project A with the permissions of the Warehouse Administrator , associated the GAE application with it, activated the service account using:
gcloud auth activate-service-account [ACCOUNT] --key-file = KEY_FILE
Then I created the gs: // some_bucket bucket in project B in the same region as my GAE application, and added my service account as the owner of the bucket.
I added a service account as a member of Project B with the permissions of the “Storage Object Administrator” permissions.
I created a watchbucket channel between my application and the bucket using
gsutil notification watchbucket -i [ChannelId] -t [Token] https: // [app-name] .appspot.com / gs: // some_bucket
My application now receives mail requests, I can parse them, find the source bucket, size, object name, etc., but I can not read the objects themselves. I get the following error.
{Location: ""; Message: "Access Denied: File gs: // some_bucket / some_object: Access Denied"; Reason: "accessDenied"}( A), . , .