Static Web site served from Google Cloud storage in Google Apps Domain

1
votes

It seems like this would be really, really easy - but I can't get it to work. All I need to do is to be able to serve files from Google cloud storage while restricting access to my google apps domain. I easily did this before using Google App engine simply by choosing that I wanted to limit access to my domain and setting the app.yaml appropriately. I can't find anything that tells me what I might be missing - I've tried using gsutil to set the ACL to restrict to my domain, which processes successfully through the command line, but then when I try to look at the bucket or object permissions through the cloud web console, I get "unexpected ACL entity type: domain".

I'm trying to access using storage.googleapis.com/bucket/object (of course with my bucket and object name) and I always get a 403 error even though I'm definitely logged in to gmail, and as the administrator of the domain, it seems like it should work because even if the ACL's were otherwise wrong (and I've tried it both with and without the domain restriction), and that it would work for me at least. The only way I can serve content using the above url is if I make it public - which obviously is NOT what I want to do.

I'm sure I'm missing something completely stupid, or some fundamental principles about how this should work - can anyone give me any ideas?

1
google-appsgoogle-cloud-storage
So I'm guessing this has nothing to do with google-app-engine, but with google-cloud-storage.. right? - Lipis
Yes, it's google cloud storage - my reference to google apps is because it's a google apps for business account, so I wasn't sure if that would make a difference. Also I have used google apps engine to create an application to serve static content before and that worked fine authenticating the domain users..but I want to move that static content to google cloud storage and I'm not having any luck with that (in terms of authentication) - user2802924
I think I was attempting to use the wrong url - storage.googleapis.com/<bucket>/<object>. When I use storage.cloud.google.com/<bucket>/<object> instead, it seems to work as expected. - user2802924
it would still be nice to know why i get the "unexpected ACL entity type: domain"." though - user2802924

1 Answers

1
votes

I'm not 100% sure what your use case is, but I'm guessing that your users are attempting to access the objects directly from a web browser. storage.cloud.google.com accepts Google authorization cookies, which means that if a user is logged in to an appropriate Google account, they can access resources restricted to certain users, groups, or domains. However, the other endpoints do not accept cookies as authorization, and so this use case won't work.

These users have permission to access objects using storage.googleapis.com, but doing so requires explicitly authorizing requests.

In othe words, a simple <img src="http://storage.cloud.google.com/bucket/object" /> link will work fine for signed-in users, but using storage.googleapis.com requires explicitly authorizing requests with via OAuth 2.