We would like to start using Google Cloud Storage as a persistent store for user-uploaded files. Unfortunately, I can't add the App Identity (application-id@appspot.gserviceaccount.com) to our "Team" because our team is based on Google Apps for domains, and it does not allow any email addresses that are not on our domain to be on the team.
Is there a recommended way to authenticate the App Engine instance in this case?
You can also work around this by using GSUtil to explicitly grant write access to the bucket you created so that your service account "[email protected]" have sufficient access to the bucket. By default, your bucket can't be accessed by others.
What you will need to do with GSUtil to modify your ACL on the bucket is this:
Make changes to acl.txt such as adding an additional grant for user "[email protected]" to have write access of the bucket, see ACL doc. on how to do this: http://code.google.com/apis/storage/docs/accesscontrol.html#applyacls Specifically, it might look something like this to add to the acl.txt you downloaded:
<Entry>
<Scope type="UserByEmail">
<EmailAddress>[email protected]</EmailAddress>
<Name>Service Account</Name>
</Scope>
<Permission>FULL_CONTROL</Permission>
</Entry>
Update ACL on the bucket: gsutil setacl acl.txt gs://yourbucket
Hope this helps!
Create a new team using a gmail account. Add all your team members (including the app), and delete the gmail account from the team.
Yes, it's a horrid hack. Sorry about that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With