How can I give my Google Cloud App Engine access to my Firebase Storage bucket

1
votes

I'm getting an error: API error 7 (images: ACCESS_DENIED)

Normally I would have the Firebase app associated with my Google App Engine service, but since Firestore is not compatible with App Engine, I have to create seperate instances of the service. However, now I need my app engine image service to be able to reference the files in the firebase cloud storage folder. How do I set up access, would I need to create some sort of IAM that's shared across both services?

Example of my app-engine go function referencing the firebase storage bucket the-other-firebase-app

func photoHandler(w http.ResponseWriter, r *http.Request) {

    c := appengine.NewContext(r)
    v := r.URL.Query()
    fileName := v.Get("file")
    if (fileName == "") {
        fmt.Fprint(w, "file name is required")
    } else {
        filename := "/gs/the-other-firebase-app.appspot.com/photos/" + fileName;
        blobKey,err := blobstore.BlobKeyForFile(c, filename)
        if (err == nil) {
            url, urlErr := image.ServingURL(c, blobKey, nil)
            if (urlErr == nil) {
                fmt.Fprint(w, url)
            } else {
                fmt.Fprint(w, urlErr)
            }
        } else {
            fmt.Fprint(w, "image does not exist")
        }
    }  
}
2
google-app-enginegoogle-cloud-storagefirebase-storage

2 Answers

3
votes

If your app is a standard env one it should already have a service account, see Using service accounts:

The App Engine application runs using the identity of the App Engine default service account. You can see this account on the IAM page in the Cloud Platform Console.

If your app is a flex engine one see Service Account for the App Engine Flexible Environment:

When you enable the Google App Engine flexible environment API, a specific service account is automatically created. You can view your project's service accounts in the IAM section of the Cloud Platform Console. The email for the App Engine flexible environment service account is service-[PROJECT-NUMBER]@gae-api-prod.google.com.iam.gserviceaccount.com, where [PROJECT-NUMBER] is the project number listed in the IAM settings.

In the Firebase app project you need to add the GAE app's service account as a team member and grant it the necessary permissions.

As mentioned in the comment:

Firebase Dasbhoard -> Project Settings Cog -> Users and permissions – MonkeyBonkey

Potentially of interest could also be Integrate with Google Cloud Platform.

2
votes

I had a very similar issue, but the exact error message thrown was:

_"[email protected] does not have storage.objects.get access to storage_file_path_here>"_

I fixed it thanks to suggestions from eltonnobrega on Github: https://github.com/firebase/functions-samples/issues/299

Here's a summary:

  1. Got to Google Cloud Console and select the project which your storage bucket is under - the bucket you want to access from your service account.
  2. Go to the Storage tab
  3. On the browser tab, you should see the storage buckets in this project. Each one will have an options icon at the line ending on the right (three vertical dots)
  4. From these options choose Edit Bucket permissions
  5. From there you can add members. Add your service account ([email protected]) and give it the Storage Object Admin role

enter image description here