User information in Cloud functions via GCS triggers

Question

We are processing files automatically via Google cloud functions if any file is uploaded to Google cloud storage. We wrote the code using python.

https://cloud.google.com/functions/docs/calling/storage

def hello_gcs_generic(data, context):
    """Background Cloud Function to be triggered by Cloud Storage.
       This generic function logs relevant data when a file is changed.

    Args:
        data (dict): The Cloud Functions event payload.
        context (google.cloud.functions.Context): Metadata of triggering event.
    Returns:
        None; the output is written to Stackdriver Logging
    """

    print('Event ID: {}'.format(context.event_id))
    print('Event type: {}'.format(context.event_type))
    print('Bucket: {}'.format(data['bucket']))
    print('File: {}'.format(data['name']))
    print('Metageneration: {}'.format(data['metageneration']))
    print('Created: {}'.format(data['timeCreated']))
    print('Updated: {}'.format(data['updated']))

We want to know who uploaded the file for our logging purpose. I don't see any variable in data and context in the above function which provides user information.

Is there any way to find out who uploaded the file in GCF for GCS triggers?

Answer 1

As you mentioned there is no variable for the owner of the object in data or context. However using the bucket name and the object name you can call Objects: get API which retrieves object metadata.

Using the projection full parameter you will receive the following response object:

{
  "kind": "storage#object",
  "id": string,
  "selfLink": string,
  "name": string,
  "bucket": string,
  "generation": long,
  "metageneration": long,
  "contentType": string,
  "timeCreated": datetime,
  "updated": datetime,
  "timeDeleted": datetime,
  "temporaryHold": boolean,
  "eventBasedHold": boolean,
  "retentionExpirationTime": datetime,
  "storageClass": string,
  "timeStorageClassUpdated": datetime,
  "size": unsigned long,
  "md5Hash": string,
  "mediaLink": string,
  "contentEncoding": string,
  "contentDisposition": string,
  "contentLanguage": string,
  "cacheControl": string,
  "metadata": {
    (key): string
  },
  "acl": [
    objectAccessControls Resource
  ],
  "owner": {
    "entity": string,
    "entityId": string
  },
  "crc32c": string,
  "componentCount": integer,
  "etag": string,
  "customerEncryption": {
    "encryptionAlgorithm": string,
    "keySha256": string
  },
  "kmsKeyName": string
} 

Where owner is:

The owner of the object. This will always be the uploader of the object. If iamConfiguration.uniformBucketLevelAccess.enabled is set to true, this field does not apply, and is omitted in responses.

Google Cloud Storage Objects

I used the Api and the owner entity is the service account used to upload the file.

Answer 2

When your Cloud Function is triggered, you know the identity of the object. You know this through the bucket and file properties. From this, you can use GCS API to interrogate further information on the GCS object.

If we look at the Object structure reference, we find a structure called owner that is documented as being the uploader.

It appears that we can retrieve this structure through the Objects: get API request.

Thus, while the information you seek may not be passed explicitly in the request to the Cloud Function, it appears to be accessible through follow on APIs.

If you are looking for uploader information for audit purposes, you might want to review Access logs & storage logs. It looks like the creation or upload of a new version or new object can be configured to produce Stackdriver log records for audit purposes. It might be you don't actually need the information in your Cloud Function if the answer can be retrospectively pieced together from existing data.