Google Cloud Storage access without providing credentials?

2
votes

I'm using Google Cloud Storage and have a few buckets that contain objects which are not shared publicly. Example in screenshot below. Yet I was able to retrieve file without supplying any service account keys or authentication tokens from a local server using NodeJS.

enter image description here

I can't access the files from browser via the url formats (which is good): https://www.googleapis.com/storage/v1/b/mygcstestbucket/o/20180221164035-user-IMG_0737.JPG https://storage.googleapis.com/mygcstestbucket/20180221164035-user-IMG_0737.JPG

However, when I tried using retrieving the file from NodeJS without credentials, surprisingly it could download the file to disk. I checked process.env to make sure there were no GOOGLE_AUTHENTICATION_CREDENTIALS or any pem keys, and also even did a gcloud auth revoke --all on the command line just to make sure I was logged out, and still I was able to download the file. Does this mean that the files in my GCS bucket is not properly secured? Or I'm somehow authenticating myself with the GCS API in a way I'm not aware?

Any guidance or direction would be greatly appreciated!!

// Imports the Google Cloud client library
const Storage = require('@google-cloud/storage');

// Your Google Cloud Platform project ID
const projectId = [projectId];

// Creates a client
const storage = new Storage({
  projectId: projectId
});

// The name for the new bucket
const bucketName = 'mygcstestbucket';
var userBucket = storage.bucket(bucketName);

app.get('/getFile', function(req, res){
    let fileName = '20180221164035-user-IMG_0737.JPG';
    var file = userBucket.file(fileName);
    const options = {
        destination: `${__dirname}/temp/${fileName}`
    }
    file.download(options, function(err){
        if(err) return console.log('could not download due to error: ', err);
        console.log('File completed');
        res.json("File download completed");
    })
})
2
node.jsgoogle-cloud-storage
Could you include where you are running this code? E.g. is this from Cloud Shell, a computer you own, GCE, GAE etc?David
My guess is that either this is running on GCE/container engine/app engine or GOOGLE_AUTHENTICATION_CREDENTIALS is in fact set.Brandon Yarbrough
I'm running from my local computer. I did a console log of all my process.env variables. There's no GOOGLE_AUTHENTICATION_CREDENTIALS set.. where can i check to see if it exists?jlyh

2 Answers

1
votes

Client Libraries use Application Default Credentials to authenticate Google APIs. So when you don't explicitly use a specific Service Account via GOOGLE_APPLICATION_CREDENTIALS the library will use the Default Credentials. You can find more details on this documentation.

Based on your sample, I'd assume the Application Default Credentials were used for fetching those files.

Lastly, you could always run echo $GOOGLE_APPLICATION_CREDENTIALS (Or applicable to your OS) to confirm if you've pointed a service account's path to the variable.

0
votes

Create New Service Account in GCP for project and download the JSON file. Then set environment variable like following:

    $env:GCLOUD_PROJECT="YOUR PROJECT ID"
    $env:GOOGLE_APPLICATION_CREDENTIALS="YOUR_PATH_TO_JSON_ON_LOCAL"