Matching Google Cloud Storage ID to a user email address

1
votes

I'm looking for a way to determine who uploaded a file to a Cloud Storage bucket. All of the users with access to write to the bucket are authenticated users in the same G Suite domain.

The object ACL in Cloud Storage shows an owner identifier string which looks like the following:

{
  "entity": "user-84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46",
  "entityId": "84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46",
  "role": "OWNER"
}

However, it does not appear that there is an easy way to map this ID back to a user's email address (or to determine the Cloud Storage ID for a user whose email I know, except by using that user account to upload a file and querying the object ACL).

Is this true? Or am I just not seeing the way to do this?

Thank you for the help!

2
google-cloud-storage

2 Answers

1
votes

Try getting the ACLs again. I just tried today 07/05/2017 and the returned ACLs included email address. It would appear Google has updated the API, replacing the old Google Cloud Storage ID with the user's email address.

{
  "email": "[email protected]",
  "entity": "[email protected]",
  "role": "OWNER"
}
1
votes

Although I can't give you an specific timeline, we're actively working on deprecating canonical ids. This should no longer be a problem in the near future.

In the meanwhile, there are.. options.

First: A user can find their canonical ID on this page (Unfortunately it is going to make you pick a project, since the page also shows the canonical ids for the project roles). https://console.cloud.google.com/storage/settings

However, if you really need to find out the email address for a random canonical id you should be able to do this somewhat ugly workaround.

1) Add the user to a bucket policy via the ACL API

    gsutil acl ch -u <canonical_id>:READ gs://<bucket>

2) Fetch the bucket IAM policy

    gsutil iam get gs://<bucket>

The entry should show up as an email address.

{
  "bindings": [
    {
      "members": [
        "projectOwner:<project-id>", 
        "projectEditor:<project-id>",
      ], 
      "role": "roles/storage.legacyBucketOwner"
    }, 
    {
      "members": [
        "projectViewer:<project-id>", 
        "user:<user email here>"
      ], 
      "role": "roles/storage.legacyBucketReader"
    }
  ], 
  "etag": "CAI="
}