Object change notifications on Google Cloud Platform

Question

I'm following the example on the Google Cloud Platform documentation for Object Change Notifications.

The bucket is owned by one application (application-1) and the App Engine app that should receive the notification is a separate application (application-2). Service accounts for both applications are Storage Object Admins for the bucket.

However, I am unable to create a notification channel for to watch the bucket. When I try to use gsutil to do so, an error is returned:

gsutil notification watchbucket https://application-2.appspot.com gs://bucket
Watching bucket gs://bucket/ with application URL https://application-2.appspot.com ...
ServiceException: 401 Unauthorized WebHook callback channel: https://appication-2.appspot.com

I have confirmed that the domain (https://application-2.appspot.com) is verified using the Search Console verification process and is configured as a webhook notification domain for both projects.

Answer 1

I followed another set of service account instructions to configure gsutil to use the service account, and that appears to have resolved the permissions error.

I created a new service account, though I used a JSON private key (the guide shows a p12 key being used). I then also had to assign Storage Legacy Bucket Owner permission to that service account for the particular bucket, re-authorize the webhook domain, and now watch notifications appear to be working.