google cloud storage access denied with allAuthenticatedUsers

Question

I use Reactjs to create a website and host it on Firebase, and set serviceAccount.json with firebase-admin and @google-cloud/storage on Google Cloud Functions to handle functions. Website has a <iframe> element, it will load aaa.html link url from bucket in Google Cloud Storage. Bucket of GCS is set to allAuthenticatedUsers. Upload aaa.html using predefinedAcl:'authenticatedRead'. Website could login with firebaseui-web-react. I only got access denied when I load aaa.html.

<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>
        Anonymous caller does not have storage.objects.get access to 
        bucket/path/aaa.html.
</Details>
</Error>

How can I access correctly?

Answer 1

Your request is not authenticated, you are anonymous. Be sure that you have a Google account (email, service account,..)

Your user have to be known be Google (or Cloud Identity) for being considered as known/authenticated. With firebase auth, your user can be known, and authenticated by external service (Facebook, Github,...) but GCS only trust Google authenticated account.

A solution is to create a service account for your backend. To provide GCS Bucket access to this service service account and to serve file to your user through your backend.