CODEWITHSUNDEEP
phpgoogle-app-enginegoogle-cloud-storage
bryan
bryan

Reputation: 9389

Batch Changing Google Cloud Storage ACL Permissions

I've been making my files with the follow ACL Attributes through my App Engine that is directly associated with the cloud storage bucket.

$options = stream_context_create(['gs'=>['acl'=>'private']]);

This is fine if I want to edit and view the files from my App Engine scripts. However, I'd like to be able to access these files from an entirely different Google App Engine Project ID. Or even a Compute Engine.

With the current ACL set to private, I realize that this may be impossible.

In my bucket that has these private ACL files, I have the bucket permissions set to owner for my different Project ID, and it works fine with files that aren't set to private.

I was wondering if there was anyway I can batch change all of my files in my bucket to the right ACL. I have hundreds of files and it'd be hard to do it 1-by-1. At the moment, if I click on a file and look at it's permissions, there is nothing there (hence private).

This is what I get when I just try and get a specific ACL from a file using gsutil

$ gsutil acl get gs://bucket/file
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://bucket/file

This is what I get when using the gsutil ch command to add a user group

$ gsutil acl ch -u <project_id>@appspot.gserviceaccount.com:W gs://bucket/file
ERROR 0313 15:29:18.896421 retry_decorator.py] Retrying in 1.00 seconds ...
Traceback (most recent call last):
File "/usr/lib/google-cloud-sdk/platform/gsutil/third_party/retry-decorator/retry_decorator/retry_decorator.py", line 20, in f_retry
return f(*args, **kwargs)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/commands/acl.py", line 372, in ApplyAclChanges
fields=['acl', 'generation', 'metageneration'])
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/cloud_api_delegator.py", line 199, in GetObjectMetadata
bucket_name, object_name, generation=generation, fields=fields)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/gcs_json_api.py", line 513, in GetObjectMetadata
generation=generation)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/gcs_json_api.py", line 1018, in _TranslateExceptionAndRaise
raise translated_exception
AccessDeniedException: AccessDeniedException: 403 Forbidden
ERROR 0313 15:29:19.995003 retry_decorator.py] Retrying in 2.05 seconds ...
Traceback (most recent call last):
File "/usr/lib/google-cloud-sdk/platform/gsutil/third_party/retry-decorator/retry_decorator/retry_decorator.py", line 20, in f_retry
return f(*args, **kwargs)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/commands/acl.py", line 372, in ApplyAclChanges
fields=['acl', 'generation', 'metageneration'])
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/cloud_api_delegator.py", line 199, in GetObjectMetadata
bucket_name, object_name, generation=generation, fields=fields)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/gcs_json_api.py", line 513, in GetObjectMetadata
generation=generation)
File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/gcs_json_api.py", line 1018, in _TranslateExceptionAndRaise
raise translated_exception
AccessDeniedException: AccessDeniedException: 403 Forbidden
AccessDeniedException: 403 Forbidden

I am assuming I may have to write a php script that runs in my app engine that goes through each file and changes or adds a permission?

Any help would be greatly appreciated, thank you.

Upvotes: 3

Views: 1049

Answers (2)

jterrace
jterrace

Reputation: 67063

With the ACL set to private, only the AppEngine service account that created the object can modify the ACL.

You will probably have to write a program using one of the API client libraries and execute it on AppEngine.

Alternatively, I believe the default GCE service account is shared with AppEngine, so if you create a VM with devstorage.full_control scope, I think you should be able to modify the ACL using gsutil inside the VM.

Upvotes: 4

Andrei Volgin
Andrei Volgin

Reputation: 41089

You can run gsutil command -acl to change access rights to all files or only files that match some pattern.

Make sure you authenticate yourself or gsutil won't be able to access your buckets: https://cloud.google.com/storage/docs/gsutil_install#authenticate

Upvotes: 0

Related Questions