Reputation: 12953
Restricting files from Google Cloud Storage to the users that have authenticated with my Google App Engine app?
I have a GAE application with a database of users.
When one of the user tries to download, say, file myapplication.appspot.com/somefile.jpg, I would:
- check on the GAE database whether he is allowed to
- if he is allowed, redirect him to a cloud storage bucket of mine from where he can download
somefile.jpg - if he is not allowed, return him a 404 error code, and do some magic so that directly trying to download
somefile.jpgfrom the cloud storage bucket does not complete.
Now what’s unclear to me is how to control access to somefile.jpg. How can I restrict the download to this scope of users?
PS: using something else than Google Storage is not an option (for those of you guys who thought about blobstore).
Upvotes: 4
Views: 3498
Answers (2)
Reputation: 3808
As Shay noted, every App Engine application automatically has associated with it an internal account, called the “service account”. Normally, the service account name follows the pattern “[email protected]”, however, you can confirm the exact name by visiting the App Engine Administration Console, then clicking on your app name, followed by the “Application Settings” link, at which point you should see your service account name.
Once you find your service account name, add it to the “Team” subpage on the APIs console with “Can edit” permissions. This is even easier than updating the bucket ACL because you don't have to change any ACLs, however, bear in mind this applies to all buckets in your project. If you'd like to restrict your app to only have access to a subset of the buckets owned by your project then you'll want to update the per-bucket ACL(s), as Shay proposed.
Upvotes: 3
Reputation: 31928
You don't need to restrict access on a per user basic you can restrict access on a per application (Google App Engine App) basis.
Every application has a service account, what you can do is set an ACL on the bucket to allow access to the application service account.
Now all you need to write an handler that would access Google Storage and return the data to the user.
Upvotes: 4
Related Questions
- Google Cloud Storage authentication for App Engine
- How do I restrict access to files in Google Storage?
- Allowing publicly shared files on google cloud storage
- cloud storage ACL based on Google user accounts
- Google Cloud Storage authentication: restrict permissions without creating additional Google Accounts
- Authenticated File with google cloud storage
- Google Cloud Storage - Bucket permission within application
- How could I allow users to access to my google cloud storage
- Set ACL for Google Storage Object with JSON Api in Appengine
- how can I set google cloud storage ACL to give READ permission only to GAE apps?