Getting 401 error, reason:Anonymous users does not have storage.objects.create access to bucket

Question

I am trying to upload a .jpeg file to google cloud storage but my request fails with the following 401 error.

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "required",
    "message": "Anonymous users does not have storage.objects.create access to bucket XXXtest.",
    "locationType": "header",
    "location": "Authorization"
   }
  ],
  "code": 401,
  "message": "Anonymous users does not have storage.objects.create access to bucket XXXtest."
 }
}

My POST request looks like this.

<form id="upload_image_form" class="" action="https://www.googleapis.com/upload/storage/v1/b/XXXtest/o?uploadType=media&name=myObject" method="post" enctype="multipart/form-data">
    <input id="image" name="image" type="file" accept="image/x-png, image/jpeg, image/png" onchange="">

    <input type="hidden" name="Content-Type" value="image/jpeg">
    <input type="hidden" name="name" value="my_name">
    <input type="hidden" name="Accept" value="application/json, text/json, text/x-json, text/javascript">
    <input type="hidden" name="host" value="www.googleapis.com">
    <input type="hidden" name="Transfer-Encoding" value="chunked">
    <input type="hidden" name="Authorization" value="<?php echo 'Bearer'.' '.$_SESSION['access_token']['access_token']; ?>">
    <input type="hidden" name="Expect" value="100-continue">
    <input type="hidden" name="Accept-Encoding" value="gzip, deflate">
    <input type="hidden" name="Connection" value="Keep-Alive">
    <input type="hidden" name="acl" value="bucket-owner-writer">
    <input id="upload" name="upload" value="Upload" type="submit" style="position: absolute;">

</form>

Can you please tell me what am I missing according to this documentation?

Answer 1

I got succeed to accomplish this using following code. I did that using cloud api methods given here Resumable uploading to Google Cloud Storage using PHP API

Answer 2

To allow users to upload objects to GCS via a form POST, you're going to need to create a "policy document" describing what sort of objects the user can upload, then sign it, then pass that signed doc as a parameter in the form. You can read more about uploading to GCS via a POST here: https://cloud.google.com/storage/docs/xml-api/post-object

And note especially the section on signed policy documents here: https://cloud.google.com/storage/docs/xml-api/post-object#policydocument

Here's an example policy document:

{"expiration": "2010-06-16T11:11:11Z",
 "conditions": [
  ["starts-with", "$key", "" ],
  {"acl": "bucket-owner-read" },
  {"bucket": "travel-maps"},
  {"success_action_redirect": "http://www.example.com/success_notification.html" },
  ["eq", "$Content-Type", "image/jpeg" ],
  ["content-length-range", 0, 1000000]
  ]
}

You'd then base64 that document, sign the result with the private key for the service account you want the user to act as for purposes of the upload, and then provide them in hidden fields, like this:

<input type="hidden" name="policy" value="eyJleHBpcmF0aW9uIjogIjIwMTAtMDYtMTZUMTE6MTE6MTFaIiwNCiAiY29uZGl0aW9ucyI6IFsNCiAgWyJzdGFydHMtd2l0aCIsICJrZXkiLCAiIiBdLA0KICB7ImFjbCI6ICJidWNrZXQtb3duZXItcmVhZCIgfSwNCiAgeyJidWNrZXQiOiAidHJhdmVsLW1hcHMifSwNCiAgeyJzdWNjZXNzX2FjdGlvbl9yZWRpcmVjdCI6ICJodHRwOi8vd3d3LmV4YW1wbGUuY29tL3N1Y2Nlc3Nfbm90aWZpY2F0aW9uLmh0bWwiIH0sDQogIFsiZXEiLCAiQ29udGVudC1UeXBlIiwgImltYWdlL2pwZWciIF0sDQogIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAwLCAxMDAwMDAwXQ0KICBdDQp9">
<input type="hidden" name="signature" value="BSAMPLEaASAMPLE6SAMPLE+SAMPPLEqSAMPLEPSAMPLE+SAMPLEgSAMPLEzCPlgWREeF7oPGowkeKk7J4WApzkzxERdOQmAdrvshKSzUHg8Jqp1lw9tbiJfE2ExdOOIoJVmGLoDeAGnfzCd4fTsWcLbal9sFpqXsQI8IQi1493mw=">