Accessing Google Cloud Storage from Grails Application

1
votes

from grails application I would like to create a blob in bucket. I already created bucket in google cloud, created service account and gave owner access to the bucket to the same service account. Later created service account key project-id-c4b144.json and it holds all the credentials. 

StorageOptions storageOptions = StorageOptions.newBuilder()
                            .setCredentials(ServiceAccountCredentials
                            .fromStream(new FileInputStream("/home/etibar/Downloads/project-id-c4b144.json"))) // setting credentials
                            .setProjectId("project-id") //setting project id, in reality it is different
                            .build()
                    Storage storage=storageOptions.getService()
                    BlobId blobId = BlobId.of("dispatching-photos", "blob_name")
                    BlobInfo blobInfo = BlobInfo.newBuilder(blobId).setContentType("text/plain").build()
                    Blob blob = storage.create(blobInfo, "Hello, Cloud Storage!".getBytes(StandardCharsets.UTF_8))

When I run this code, I get a json error message back. 

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Caller does not have storage.objects.create access to bucket dispatching-photos.",
    "reason" : "forbidden"
  } ],
  "message" : "Caller does not have storage.objects.create access to bucket dispatching-photos."
}

| Grails Version: 3.2.10 | Groovy Version: 2.4.10 | JVM Version: 1.8.0_131

google-cloud-datastore:1.2.1

google-auth-library-oauth2-http:0.7.1

google-cloud-storage:1.2.2

1
google-cloud-storagegoogle-oauth
Service accounts count as unique users with their own, separate set of permissions. Does the service account associated with the credentials project-id-c4b144.json have permission to create objects in that bucket? - Brandon Yarbrough
@Brandon Yarbrough, yes I took client email from json file and added it as a bucket admin from "bucket permissions". - Etibar - a tea bar
Is that the actual code you ran? It doesn't look syntactically valid (missing semicolon on a couple lines) and it looks like it's in an intermediate state of editing (the storage.get() call seems not to be needed). Also, I suspect your project ID isn't actually "project-id" - were you just doing that to hide your real project ID in the posting or was that the value you used in the code? - Mike Schwartz
@Mike Schwartz, I am developing in groovy and it runs java codes as well. So in groovy, you don't need to use semicolons. Actually, the code is similar and it doesn't have storage.get() . I updated the code. Thanks for pointing out. Yes, real project id is different. - Etibar - a tea bar

1 Answers

1
votes

Concerning the service account that json file corresponds to -- I'm betting either:

A) the bucket you're trying to access is owned by a different project than the one where you have that account set as a storage admin

or B) you're setting permissions for a different service account than what that json file corresponds to