I've got a bucket in Google Cloud Storage, and a website. People can currently upload to the bucket through the website (using Google authentication).
However, I need to set it so that anyone can view the files that are uploaded (and can't modify them).
This can't be something that Google needs to authenticate, as some of our clients' IT departments have blocked Google (for whatever reason) and refuse to budge. It could be something where the request is made from my website, it could allow it (as I'll record the URL on the website's database).
Preferably, if this could be done without using gsutil that would be great.
You can set a default object ACL on the bucket that makes all objects uploaded to that bucket publicly readable. For example you could do it using gsutil:
gsutil defacl ch -u AllUsers:R gs://your-bucket
Note that the above command only affects newly written objects. If you already have objects in your bucket that need to be made public you could accomplish that with gsutil as well:
gsutil acl ch -u AllUsers:R gs://your-bucket/**
Regarding your point about making sure anyone can view the files but not modify them: You can accomplish this by making sure the bucket ACL only allows you (or your service account) to write objects, not all users.
Related
I am trying to download the exported data from my GSuite (Google Workplace) account. I ran the data export tool and it is sitting in a bucket. I want to download all of the files but it says that the only way I can download multiple files is to use the gsutil utility.
I installed it using pip instal -U gsutil.
I tried running the following command:
gsutil cp -r \
gs://takeout-export-3ba9a6a2-c080-430a-bece-6f830889cc83/20201202T070520Z/ \
gs://takeout-export-3ba9a6a2-c080-430a-bece-6f830889cc83/Status\ Report.html \
.
...but it failed with an error:
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
I suppose that is because I am not authenticated. I tried going through the motions with gsutil config, but it is now asking me for a "Project ID", which I cannot find anywhere in the cloud storage web page showing the bucket with the exported files.
I tries following the top answer for this question, but the project ID does not appear to be optional anymore.
How do I download my files?
The project ID is "optional" in the sense that it's only used for certain scenarios, e.g. when you want to create a bucket (without explicitly specifying a project for it to live in), that project is specified as its parent. For most things, like your scenario of copying existing GCS objects to your local filesystem, your default project ID doesn't matter; you can just type whatever you want for the project ID in order to generate your boto file for authentication.
I'm reading docs about how to use google cloud, particularly to store data on a bucket.
I can see the gcloud scp command to upload file to a VM in a secure way (highlighted in the doc).
To uload to a bucket, it's said to use gsutil cp
Is this command secure ? If I want to upload sensitive data, do I have to take more precautions (and how)
As per the documentation:
By default, gsutil accesses Cloud Storage through JSON API request endpoints. You can change this default to the XML API.
The JSON API request endpoint is HTTPS - so assuming the security provided by HTTPS is sufficient for your needs, it should be fine. That won't guard against attacks if your local machine has been compromised with a bogus version of gsutil, but at that point all bets are probably off.
I have been using the Google Speech API to transcribe audio to text from my PHP app (using the Google Cloud PHP Client) for several months without any problem. But my calls have now started to return 403 errors with status "PERMISSION_DENIED" and message "The caller does not have permission".
I'm using the Speech API together with Google Storage. I'm authenticating using a service account and sending my audio data to Storage. That's working, the file gets uploaded. So I understand - but I might be wrong? - that "the caller" does not have permission to then read to the audio data from Storage.
I've been playing with permissions through the Google Console without success. I've read the docs but am quite confused. The service account I am using (I guess this is "the caller"?) has owner permissions on the project. And everything used to work fine, I haven't changed a thing.
I'm not posting code because if I understand correctly my app code isn't the issue - it's rather my Google Cloud settings. I'd be grateful for any idea or clarifications of concepts!
Thanks.
Being an owner of the project doesn't necessarily imply that the service account has read permission on the object. It's possible that the object was uploaded by another account that specified a private ACL or similar.
Make sure that the service account has access to the object by giving it the right permissions on the entire bucket or on the specific object itself.
You can do so using gsutil acl. More information and additional methods may be found in the official documentation.
For instance the following command gives READ permission on an object to your service account:
gsutil acl -r ch -u serviceAccount#domain.com:R gs://bucket/object
And this command gives READ permission on an entire bucket to your service account:
gsutil acl -r ch -u serviceAccount#domain.com:R gs://bucket
In google cloud vision,when your creating credentials with service account key, you have to create role and set it owner and accesses full permissions
our team create some data on google cloud storage so other team can copy/download/read it from there, but when they tried, they always got 403 forbidden message. I tried to edit the permission on that bucket and added new permission as 'Project', 'viewers-(other team's project id)', and 'Reader', but still they got the same error when they ran this command:
gsutil cp -R gs://our-bucket gs://their-bucket
i also tried with their client id and email account, still the same.
I'm not sure one can define another group's collection of users with a give access right (readers, in this case), and apply it to an object in a different project.
An alternative to this would be to control bucket access via Google Groups: simply set up a group for readers, adding the users you wish to grant this right to. Then you can use said Group to control access to the bucket and/or contents. Further information, and use case scenario, here https://cloud.google.com/storage/docs/collaboration#group
try:
gsutil acl ch -u serviceaccount#google.com:R gs://your-bucket
This ch:changes the permission on 'your-bucket' for u:user serviceaccount#google.com to R:Reader.
I am a project owner and i have full control over the bucket.
I would like to give another user the FULL access control over this bucket, but I didn't manage to do it.
The mail of this user is an_email_address#gmail.com and he is listed as owner of the project, but can't have, as said before, full control over the bucket.
I tried also to give him access via gsutil: this is a snippet if the output of getacl.
<EmailAddress>an_email_address#gmail.com</EmailAddress>
<Name>User Name</Name>
</Scope>
<Permission>FULL_CONTROL</Permission>
If he logs in the Cloud storage console, he can't for example, change the permission of an object and so on.
Could you please give some hints on how to proceed?
Changing the bucket ACL will grant full control access over the bucket, which will allow reading, writing, and changing bucket metadata.
However, if you want a user to have full control over all objects in the bucket, you need to change the default object ACL, which is what is applied to objects that are created in that bucket. To change the default object ACL, you should be able to use a command such as:
gsutil defacl ch -u <email_address>:FC <bucket name>
Since this will only apply to objects created after the default object ACL has been updated, you'll also need to set the object ACL for any existing objects that you want to grant access to. If you want to grant access to all objects in the bucket, you could use a command like:
gsutil acl ch -u <email_address>:FC <bucket name>/**
If you have many existing objects in this bucket, you can add the -m flag (gsutil -m acl ch ...) to use multiprocessing for speed.
For detailed information about how ACLs work, take a look at https://developers.google.com/storage/docs/accesscontrol#default