Reputation: 237
Accessing files in the Google Cloud Storage from two different google cloud projects
Consider the following situation:
- I have two AppEngine projects: A and B
I have a Cloud Storage bucket with the following ACL:
<?xml version="1.0" ?> <AccessControlList> <Owner> <ID>id-of-the-user-who-created-the-bucket</ID> </Owner> <Entries> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-A-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-B-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> </Entries> </AccessControlList>My GAE applications are written in Python and they are using GCS Client Library
Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.
At first I tried to simply create a file with cloudstorage.open(file_name, 'w') and then read its status with cloudstorage.stat(file_name, 'r'), but this way I end up with the following error while reading:
ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.
(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)
Then I started experimenting with ACLs by setting the x-googl-acl option while creating a file, for example:
cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})
Although ACLs work as intended, none of the available options seem to fit my requirements:
private- only the bucket owner has the access, B cannot readpublic-read- file is accessible by anonymous users, unacceptablepublic-read-write- same as aboveauthenticated-read- everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous optionbucket-owner-read- seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucketbucket-owner-full-control- same as above
It looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?
Upvotes: 6
Views: 1860
Answers (1)
Reputation: 1327
Add the accessor Service Accounts (e.g. [email protected] or [email protected] for compute engine) as member with 'Editor' permission on project with the GCS bucket to use. This can be done in IAM page of the project that owns the bucket: https://console.developers.google.com/iam-admin/iam/project?project=app1
Upvotes: 6
Related Questions
- Syncing files between projects/buckets in Google Cloud Storage
- Google Cloud Storage One file multiple access at the same time
- Google App Engine Access Cloud Datastore from Different Project
- Same bucket hosting static files at 2 different projects at Google Cloud Platform
- Access Google Cloud Datastore from another app/project
- How to access datastore of different google app engine project?
- Access GCS bucket from another project
- How to grant multiple appengine projects access to the same Cloud Storage bucket?
- How to access file present inside bucket of another application
- Read files from Google Cloud Storage on App Engine