Google Cloud Storage - Rails web app - different buckets and different access keys for different environments

3
votes

I plan to use a cloud based storage service to store some static user-uploaded content of my web application. I have settled upon Google Cloud Storage for now.

My web application is Rails, and I am using Paperclip with fog to connect to Google Cloud Storage.

I understand that I need to use the Interoperable Storage Access Keys in the fog config to connect to my bucket. Any additional key I add is given access to all the buckets.

I want to have a separate bucket per environment (development, staging and production). I want to have separate access and secret keys, with each key having access to only one bucket.

Basically, I don't want to put my production keys in my web-app source code, which all developers will have access to.

I read the Google Cloud Storage documentation on ACLs, but I could not find out how to achieve what I want.

I can't imagine that others wouldn't have had the same kind of requirement. Maybe I am using the wrong search terms, but I cannot get any info about this.

I would appreciate some help.

P.S. - Is what I want possible on AWS S3? I am open to switching to S3 if this is possible on it.

1
ruby-on-railsamazon-s3paperclipgoogle-cloud-storagefog
I'm not sure I understand what the problem is. What's stopping you from having a config file with different keys and bucket names depending on your environment?jterrace
@jterrace - Where do you create the keys, and assign each key to one bucket exactly?Anjan
Any reason you don't want to use the google-api-ruby-client instead of fog? With that, you could use service accounts.jterrace
The google-api-ruby-client doesn't integrate easily (at all) with Paperclip. And fog is meant to be used with all cloud service providers. When using fog, it is almost a no-brainer to switch from, say, S3 to DreamObjects to RackSpace to Google Cloud Storage to Azure, for example. I don't want Google proprietary code. It is almost like a lock-in.Anjan
Looks like oauth support was just added for compute: github.com/fog/fog/issues/2361jterrace

1 Answers

2
votes

The normal solution for something like this would be to have 3 service accounts (development-app, staging-app, production-app), each of which would have its own set of credentials and permissions. You could either have a test, staging, and production project, or you could just have test, staging, and production buckets within a single project. You can create a whole range of per-project service accounts, each with its own set of credentials and permissions.

Unfortunately, interoperable storage access keys are not available for service accounts, only regular Google user accounts. In order to do what you want, you'd need to have three user accounts, each of which was granted access to exactly one of those buckets.