All geek questions in one place

Access files on Google Cloud Storage from two different Google Cloud Projects

Consider the following situation:

  • I have two AppEngine projects: A and B

  • I have a Cloud Storage bucket with the following ACL:

    <?xml version="1.0" ?> <AccessControlList> <Owner> <ID>id-of-the-user-who-created-the-bucket</ID> </Owner> <Entries> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-A-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-B-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> </Entries> </AccessControlList>

  • My GAE applications are written in Python and they use the GCS Client Library

Now, here is what I want to achieve : I want application A to create files inside the bucket, and then application B to read them.

At first I tried to just create a file with cloudstorage.open(file_name, 'w') and then read its status using cloudstorage.stat(file_name, 'r') , but this way I get the following error while reading:

 ForbiddenError at /.../ Expect status [200] from Google Storage. But got status 403.

(The error message also contains information about the request / response: the path, headers, body, and additional information. Please let me know if you think they can help solve this case)

Then I started experimenting with ACLs by setting the x-googl-acl parameter when creating the file, for example:

 cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})

Although ACLs work as intended, none of the available options meets my requirements:

  • private - only the bucket owner has access, B cannot read
  • public-read - file is accessible to anonymous users, inappropriate
  • public-read-write - same as above
  • authenticated-read - everyone who has an authenticated account can read (even people who are not part of the project), so it does not differ from the previous option
  • bucket-owner-read - seems perfect, but it turns out that the "bucket owner" is NOT the user who was set as the "owner" through the Cloud Console, but the user who created the bucket
  • bucket-owner-full-control - same as above

It seems that I had no options, but I can’t believe that such a simple thing cannot be achieved thanks to Cloud Storage. The only solution that comes to my mind is to change the architecture of the system, but I would like to avoid it. Any other suggestions?

+6
source share
1 answer

Add access service accounts (for example, app1@appspot.gserviceaccount.com or 1234567890-compute@developer.gserviceaccount.com for the compute engine) as a member with the "Editor" permission for the project using the GCS bucket. This can be done on the IAM page of the project that owns the bucket: https://console.developers.google.com/iam-admin/iam/project?project=app1

+6
source

Source: https://habr.com/ru/post/972178/

More articles:


All Articles