how can I set google cloud storage ACL to give READ permission only to GAE apps?

1
votes

The bucket is project-private. So far I managed to update the ACL of the bucket through gsutil CLI. The issue is that only the owner (the app that writes/uploads the files) has access. The other apps specified in the bucket ACL get a permission error when I try to read or list the bucket content. Am I missing something ?

  <Entry>
        <Scope type="UserByEmail">
            <EmailAddress>
                [email protected]
            </EmailAddress>
        </Scope>
        <Permission>
            READ
        </Permission>
    </Entry>
 <Entry>
        <Scope type="UserByEmail">
            <EmailAddress>
                [email protected]
            </EmailAddress>
        </Scope>
        <Permission>
            READ
        </Permission>
    </Entry>
1
google-app-enginegoogle-cloud-storage
What you're doing should be correct - how are you trying to read files from the bucket? Can you try using a blobreader? (developers.google.com/appengine/docs/python/blobstore/…) - Stuart Langley

1 Answers

1
votes

Try adding your app's service account to your project team, as illustrated in this tutorial: https://developers.google.com/appengine/articles/prediction_service_accounts. That tutorial focuses on using app engine with the Google Prediction API, however, the concept of enabling access to your app's service account should apply equally well when providing access to Google Cloud Storage resources to App Engine apps.