Consider the following situation:
I have a Cloud Storage bucket with the following ACL:
<?xml version="1.0" ?>
<AccessControlList>
<Owner>
<ID>id-of-the-user-who-created-the-bucket</ID>
</Owner>
<Entries>
<Entry>
<Scope type="UserByEmail">
<EmailAddress>app-A-service-account-name</EmailAddress>
</Scope>
<Permission>FULL_CONTROL</Permission>
</Entry>
<Entry>
<Scope type="UserByEmail">
<EmailAddress>app-B-service-account-name</EmailAddress>
</Scope>
<Permission>FULL_CONTROL</Permission>
</Entry>
</Entries>
</AccessControlList>
My GAE applications are written in Python and they are using GCS Client Library
Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.
At first I tried to simply create a file with cloudstorage.open(file_name, 'w')
and then read its status with cloudstorage.stat(file_name, 'r')
, but this way I end up with the following error while reading:
ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.
(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)
Then I started experimenting with ACLs by setting the x-googl-acl
option while creating a file, for example:
cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})
Although ACLs work as intended, none of the available options seem to fit my requirements:
private
- only the bucket owner has the access, B cannot readpublic-read
- file is accessible by anonymous users, unacceptablepublic-read-write
- same as aboveauthenticated-read
- everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous optionbucket-owner-read
- seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucketbucket-owner-full-control
- same as aboveIt looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?
Add the accessor Service Accounts (e.g. [email protected] or [email protected] for compute engine) as member with 'Editor' permission on project with the GCS bucket to use. This can be done in IAM page of the project that owns the bucket: https://console.developers.google.com/iam-admin/iam/project?project=app1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With