How to enable additional users to create domain-named buckets in Google Cloud Storage?

4
votes

I want to create domain-named buckets in Google Cloud Storage.

I verified the ownership of the domain, and now I can create buckets with the particular names using my own account.

However, I also need to give permissions to some other developers and some service accounts to do the same thing, so I added those users as verified owners of the domain.
They can be seen on the users screen.

Extra users in the list.

And on the page about the domain owners.

The domain users page.

Yet, if I try to create the domain-named bucket with any of the added accounts (either if it's a real person's account or a service account), I get the following error.

10:46:35.447 Creating gs://bucket.mydomain.com/...
10:46:35.697 AccessDeniedException: 403 The bucket you tried to create is a domain name owned by another user.

(If I try to create the bucket from the web management console, I get a similar error.)
I verified that the accounts have permissions for the GCE project, so they can create buckets fine as long as they are not domain-named.

What am I doing wrong?

1
securitydnsgoogle-cloud-storage
Do you know whether you've verified your ownership via DNS records or via posting an HTTPS file? Owning a website on a certain protocol, like http://www.somedomain.com, is a slightly different concept from owning an entire domain, like somedomain.com., which GCS may require if some other account has demonstrated ownership of the DNS record itself. See cloud.google.com/storage/docs/… - Brandon Yarbrough
Also, as an aside, rather than using domain-named buckets, you may find that using Google Cloud Load Balancer and connecting it to a GCS bucket is a more flexible solution. For example, it does not require that the GCS buckets have any particular name in order to be served from a particular URL: cloud.google.com/compute/docs/load-balancing/http/… - Brandon Yarbrough
Hi Brandon, It was done with a TXT DNS record. I guess that worked fine, since the account which has done the verification can create the bucket fine, it's only all the other accounts that cannot. Thanks for the tip about the Load Balancer, I'll take a look. (Although I'd prefer to keep the whole setup as simple as possible, since I'm creating this "website" from a shell script.) - Mark Vincze
Assuming you can still create the buckets yourself, this isn't a matter of expiry of the verification (e.g., if you delete your TXT record). If you can send your project, your user, and other affected users to gs-team AT google.com, we can follow up. - Nathan Herring

1 Answers

7
votes

The docs point to an incorrect way of verifying ownership. For service accounts add them via https://www.google.com/webmasters/verification/home.

I figured it out after noticing different docs cover two similar sounding ways to verify ownership. I tried the page you have in your screenshots as its listed in the storage docs but then I found another set of steps listing yet another verification url. These are the steps which actually work.