How to properly authorize request to Google Cloud Storage API?

5
votes

I am trying to use the Google Cloud Storage JSON API to retrieve files from a bucket using http calls.

I am curling from a Container in GCE within the same project as the storage bucket, and the service account has read access to the bucket

Here is the pattern of the requests:

https://storage.googleapis.com/{bucket}/{object}

According to the API console, I don't need anything particular as the service account provides Application Default Credentials. However, I keep having this:

Anonymous caller does not have storage.objects.get

I also tried to create an API key for the project and appended it to the url (https://storage.googleapis.com/{bucket}/{object}?key={key})but I still got the same 401 error.

How can I authorize requests to query this API?

2
google-cloud-storagegoogle-cloud-iam
are you using kubernetes? or is it just compute engine? - John Balvin Arias
Kubernetes on GKE - znat

2 Answers

2
votes

The URL that you are using is not correct. The APIs use a URL that starts with https://www.googleapis.com/storage/v1/b.

Using API keys is not recommended. Instead you should use a Bearer: token. I will show both methods.

To get an access token for the gcloud default configuration:

gcloud auth print-access-token

Then use the token in your curl request. Replace TOKEN with the token from the gcloud command.

To list buckets:

curl -s -H "Authorization: Bearer TOKEN" https://www.googleapis.com/storage/v1/b

curl https://www.googleapis.com/storage/v1/b?key=APIKEY

To list objects:

curl -s -H "Authorization: Bearer TOKEN" https://www.googleapis.com/storage/v1/b/examplebucket/o

curl https://www.googleapis.com/storage/v1/b/examplebucket/o?key=APIKEY

API Reference: List Buckets

1
votes

If you are able to create another cluster you can obtain permission like this: Click in "avanced edit" first next click in "Allow full access to all Cloud APIs" second

And that's it :D