I created a Google App Engine app that listens for Google Cloud Storage notifications and whenever a new object is created on GCS, the app needs to open the new object and perform operations based on its contents. I can't access the object contents when the app and the gcs bucket are in different projects.
Configuration:
I have created a service account in project A with Storage Object Admin permissions, associated the GAE app with it, activated the service account using:
gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE
I then created a bucket gs://some_bucket in project B in the same region as my GAE app, and added my service account as an owner of the bucket.
I added my service account as a member of project B with "Storage Object Admin" permissions.
I created a watchbucket channel between my application and the bucket using
gsutil notification watchbucket -i [ChannelId] -t [Token] https://[app-name].appspot.com/ gs://some_bucket
My application is now receiving post requests, I can parse through them, find the source bucket, the size, object name, etc. but I can't read the objects themselves. I get the following error.
{Location: ""; Message: "Access Denied: File gs://some_bucket/some_object: Access Denied"; Reason: "accessDenied"}
I tested the above configuration within the same project (project A), and I am able to read the objects and operate on them. This is a permissions issue that I can't figure out.
To give your Cloud Dataprep project access to a Cloud Storage bucket owned by a different Google Cloud console project, you must make the bucket accessible to the service accounts in your Cloud Dataprep project, and then manually enter that Cloud Storage location in the UI.
Using GCP Console 01 Sign in to Google Cloud Management Console. 02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar. 03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.
GCS Bucket permissions are different than GCS object permissions, being a bucket owner does not translate into object owner or having object access. You can grant read permissions to all existing GCS objects in your bucket recursively using the following:
gsutil -m acl ch -u [email protected]:R -r gs://example-bucket
which will recursively grant the service account read permission to all objects in the bucket.
One might also want to change the bucket object default permissions so that all future objects coming into your GCS bucket have the desired permissions
gsutil defacl ch -u [email protected]:READ gs://example-bucket
Changing object ACL's: https://cloud.google.com/storage/docs/gsutil/commands/acl
Changing default object ACL's: https://cloud.google.com/storage/docs/gsutil/commands/defacl
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With