Google-App-Engine and Cloud-Storage, Access Denied

Question

I have created a bucket in Cloud-Storage, and granted permission for my-gae-app (GAE), as Full_Control. I also configured CORS (Cross-Origin Resource Sharing) on my bucket for my-gae-app. I setup the bucket default ACL to have my-gae-app as owner.

In my-gae-app application, I have form to allow users to upload pdf/image to my-bucket. (I use GCS Client Library Functions) The upload process worked fine, when upload button is clicked, the file is written to my-bucket without error and I can verify from the cloud storage console that the files are there. I checked the files (object) permission, and I can see my-app-gae is the owner.

Other form which display those uploaded files are not working. Even as simple as "<"img src="https://storage.cloud.google.com/mybucket/my-uploaded-image.jpg"/">" The console show me that "GET ... 403 Forbidden". The page to show the pdf will display "Access Denied Access Denied".

I have tried to mark the object as "Shared Publicly" in the Cloud Storage console, than everything will work fine. But, this is not correct design. I need a solution to make my-bucket access by my-gae-app only, not publicly :o(

Can anyone please shed some light ? Much appreciated.

Answer 1

Whatever "other form which display those uploaded files" is authenticated as needs to be on he access control list for that object with READ or FULL_CONTROL permission. If you want that to be the case for all objects which you create in the bucket, the easiest way to do that is to set a Default Object Access Control for the bucket as described here: https://developers.google.com/storage/docs/accesscontrol#default

With the default object access control set, you can grant READ by default to your form; you just need to find out which user/service account/group your form is authenticating as.