Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing files in the Google Cloud Storage from two different google cloud projects

Consider the following situation:

  • I have two AppEngine projects: A and B
  • I have a Cloud Storage bucket with the following ACL:

    <?xml version="1.0" ?>
    <AccessControlList>
        <Owner>
            <ID>id-of-the-user-who-created-the-bucket</ID>
        </Owner>
        <Entries>
            <Entry>
                <Scope type="UserByEmail">
                    <EmailAddress>app-A-service-account-name</EmailAddress>
                </Scope>
                <Permission>FULL_CONTROL</Permission>
            </Entry>
            <Entry>
                <Scope type="UserByEmail">
                    <EmailAddress>app-B-service-account-name</EmailAddress>
                </Scope>
                <Permission>FULL_CONTROL</Permission>
            </Entry>
        </Entries>
    </AccessControlList>
    
  • My GAE applications are written in Python and they are using GCS Client Library

Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.

At first I tried to simply create a file with cloudstorage.open(file_name, 'w') and then read its status with cloudstorage.stat(file_name, 'r'), but this way I end up with the following error while reading:

ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.

(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)

Then I started experimenting with ACLs by setting the x-googl-acl option while creating a file, for example:

cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})

Although ACLs work as intended, none of the available options seem to fit my requirements:

  • private - only the bucket owner has the access, B cannot read
  • public-read - file is accessible by anonymous users, unacceptable
  • public-read-write - same as above
  • authenticated-read - everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous option
  • bucket-owner-read - seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucket
  • bucket-owner-full-control - same as above

It looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?

like image 769
piotrekw Avatar asked Jul 14 '14 14:07

piotrekw


1 Answers

Add the accessor Service Accounts (e.g. [email protected] or [email protected] for compute engine) as member with 'Editor' permission on project with the GCS bucket to use. This can be done in IAM page of the project that owns the bucket: https://console.developers.google.com/iam-admin/iam/project?project=app1

like image 108
Ashish Awasthi Avatar answered Oct 04 '22 20:10

Ashish Awasthi