Accessing files in the Google Cloud Storage from two different google cloud projects

Question

Consider the following situation:

• I have two AppEngine projects: A and B

• I have a Cloud Storage bucket with the following ACL:

  <?xml version="1.0" ?>
  <AccessControlList>
      <Owner>
          <ID>id-of-the-user-who-created-the-bucket</ID>
      </Owner>
      <Entries>
          <Entry>
              <Scope type="UserByEmail">
                  <EmailAddress>app-A-service-account-name</EmailAddress>
              </Scope>
              <Permission>FULL_CONTROL</Permission>
          </Entry>
          <Entry>
              <Scope type="UserByEmail">
                  <EmailAddress>app-B-service-account-name</EmailAddress>
              </Scope>
              <Permission>FULL_CONTROL</Permission>
          </Entry>
      </Entries>
  </AccessControlList>
  

• My GAE applications are written in Python and they are using GCS Client Library

Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.

At first I tried to simply create a file with cloudstorage.open(file_name, 'w') and then read its status with cloudstorage.stat(file_name, 'r'), but this way I end up with the following error while reading:

ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.

(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)

Then I started experimenting with ACLs by setting the x-googl-acl option while creating a file, for example:

cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})

Although ACLs work as intended, none of the available options seem to fit my requirements:

• private - only the bucket owner has the access, B cannot read
• public-read - file is accessible by anonymous users, unacceptable
• public-read-write - same as above
• authenticated-read - everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous option
• bucket-owner-read - seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucket
• bucket-owner-full-control - same as above

It looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?

Answer 1

Add the accessor Service Accounts (e.g. [email protected] or [email protected] for compute engine) as member with 'Editor' permission on project with the GCS bucket to use. This can be done in IAM page of the project that owns the bucket: https://console.developers.google.com/iam-admin/iam/project?project=app1