Consider the following situation:
- I have two AppEngine projects: A and B
I have a Cloud Storage bucket with the following ACL:
<?xml version="1.0" ?> <AccessControlList> <Owner> <ID>id-of-the-user-who-created-the-bucket</ID> </Owner> <Entries> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-A-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> <Entry> <Scope type="UserByEmail"> <EmailAddress>app-B-service-account-name</EmailAddress> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> </Entries> </AccessControlList>My GAE applications are written in Python and they are using GCS Client Library
Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.
At first I tried to simply create a file with cloudstorage.open(file_name, 'w') and then read its status with cloudstorage.stat(file_name, 'r'), but this way I end up with the following error while reading:
ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.
(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)
Then I started experimenting with ACLs by setting the x-googl-acl option while creating a file, for example:
cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})
Although ACLs work as intended, none of the available options seem to fit my requirements:
private- only the bucket owner has the access, B cannot readpublic-read- file is accessible by anonymous users, unacceptablepublic-read-write- same as aboveauthenticated-read- everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous optionbucket-owner-read- seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucketbucket-owner-full-control- same as above
It looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?