Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google Cloud Storage authentication for App Engine

We would like to start using Google Cloud Storage as a persistent store for user-uploaded files. Unfortunately, I can't add the App Identity (application-id@appspot.gserviceaccount.com) to our "Team" because our team is based on Google Apps for domains, and it does not allow any email addresses that are not on our domain to be on the team.

Is there a recommended way to authenticate the App Engine instance in this case?

like image 937
tghw Avatar asked Nov 09 '11 22:11

tghw


2 Answers

You can also work around this by using GSUtil to explicitly grant write access to the bucket you created so that your service account "[email protected]" have sufficient access to the bucket. By default, your bucket can't be accessed by others.

What you will need to do with GSUtil to modify your ACL on the bucket is this:

  • Retrieve the bucket's ACL: gsutil getacl gs://mybucket > acl.txt
  • Make changes to acl.txt such as adding an additional grant for user "[email protected]" to have write access of the bucket, see ACL doc. on how to do this: http://code.google.com/apis/storage/docs/accesscontrol.html#applyacls Specifically, it might look something like this to add to the acl.txt you downloaded:

    <Entry>
      <Scope type="UserByEmail">
        <EmailAddress>[email protected]</EmailAddress> 
        <Name>Service Account</Name> 
      </Scope> 
      <Permission>FULL_CONTROL</Permission> 
    </Entry>
    
  • Update ACL on the bucket: gsutil setacl acl.txt gs://yourbucket

Hope this helps!

like image 109
Jose Montes de Oca Avatar answered Oct 17 '22 07:10

Jose Montes de Oca


Create a new team using a gmail account. Add all your team members (including the app), and delete the gmail account from the team.

Yes, it's a horrid hack. Sorry about that.

like image 24
Nick Johnson Avatar answered Oct 17 '22 08:10

Nick Johnson