Reputation: 367
Google Cloud storage: Grant permission to OAuth 2.0 client
I try to download a file from a google cloud drive bucket via the REST. But if I use the access_token of the oAuth 2.0 client which I have created I get "Insufficient Permission" as an error (It works with the access toke of my googel account).
So, where in the cloud platform I can grant the oAuth2 client access to the bucket from where I want to download the file?
Thx
Upvotes: 0
Views: 2161
Answers (1)
Reputation: 49583
TL;DR - You're most likely missing the step where you request the right scopes when requesting your OAuth2.0 access token. Please look at the supported scopes with Google Cloud Storage APIs. Access tokens typically expire in 60 minutes and you will need to use a refresh token to get a new access token when it expires.
Please read the Google Cloud Storage Authentication page for detailed information.
Scopes
Authorization is the process of determining what permissions an authenticated identity has on a set of specified resources. OAuth uses scopes to determine if an authenticated identity is authorized. Applications use a credential (obtained from a user-centric or server-centric authentication flow) together with one or more scopes to request an access token from a Google authorization server to access protected resources.
For example, application A with an access token with
read-onlyscope can only read, while application B with an access token withread-writescope can read and modify data. Neither application can read or modify access control lists on objects and buckets; only an application withfull-controlscope can do so.
Authentication in Google Cloud
Google Cloud services generally provides 3 main modes of authentication:
End User Account credentials - here you authenticate as the end user directly using their google account or an OAuth 2.0 access token. When requesting an access token, you will need to provide the scopes which determine which APIs are accessible to the client using that access token.
OAuth2.0 credentials - if granted the right scope, can access the user's private data. In addition, Cloud IAM lets you control fine grained permissions by granting roles to this user account.
Service Accounts - here you create a service account which is associated with a specific GCP project (and billed to that project thereby). These are mainly used for automated use from your code or any of the Google Cloud services like Compute Engine, App Engine, Cloud Functions, etc. You can create service accounts using Google Cloud IAM.
Each service account has an associated email address (you specify when creating the service account) and you will need to grant appropriate roles for this email address for your Cloud Storage buckets/objects. These credentials if granted the right roles can access the user's private data.
API keys - here you get an encrypted string which is associated with a GCP project. It is supported only by very few Google Cloud APIs and it is not possible to restrict the scope of API keys (unlike service accounts or OAuth2.0 access tokens).
Upvotes: 3
Related Questions
- Google cloud storage authorization
- Google Cloud Storage: Grant User / Pass credentials per object
- Granting directory level permissions for Google Cloud Storage REST APIs
- How to properly authorize request to Google Cloud Storage API?
- Google Cloud Storage access Client API
- Accessing Google Cloud Storage From Android OAuth2
- Invalid_grant error with google cloud storage service account
- To access Google Cloud Storage via REST API to another user account, after authenication with OAuth2.0, HTTP 403 is replied
- Google Cloud Storage : Google Cloud Storage JSON API to fix Access Not Configured error 403?
- How could I allow users to access to my google cloud storage