I am using the GCS JSON API via Java and a Service Account. My code to insert objects, delete objects, and copy objects all works great. And I can successfully create new buckets with storage.buckets().insert() so long as the bucket name is NOT based on my domain name (i.e. creating bucket “454393-test-bucket” works, but creating bucket "test334.domain.com" does NOT work). Note that I CAN create domain name based buckets from the developer console when logged in as the project owner with no problem, and can also later insert/copy/delete objects from that bucket via the service account.
There must be something basic I am doing wrong.
Here is my code:
Bucket newBucket = new Bucket().setName(bucketName);
storage.buckets().insert(Utils.GAE_PROJECT_NAME, newBucket).execute();
Here is the error I get:
Uncaught exception from servlet
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "The bucket you tried to create is a domain name owned by another user.",
"reason" : "forbidden"
} ],
"message" : "The bucket you tried to create is a domain name owned by another user."
}
The account which verifies ownership of the bucket must be the same account that creates the bucket. If your account is the verified owner of your domain, your account must be used to create the bucket (and not a service account owned by a project owned by your account). When you are creating buckets from the developer console, you're using your own account, which has access.
Good news, though. You can add your service account to the list of owners of the domain, and it will gain this permission. On Webmaster Central, you can add and remove owners for domains.
Go to https://www.google.com/webmasters/verification/home?hl=en
Click on your domain
Click "Add an owner"
Put in the email address of the service account.
More on this is available in the Google Cloud Storage documentation: https://developers.google.com/storage/docs/bucketnaming#verification
Related
I'm trying to create a asset from code, but i'm getting below error:
{
"error": {
"code": "Conflict",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account.",
"details": [
{
"code": "AuthorizationFailure",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account."
}
]
}
}
Also, I tried directly in portal with generated sas url, though I'm facing access issue, I can confirm AAD service principle has assigned "contributor" role, but still I get error.
Error:
The client 'xx' with object id 'xx' does not have authorization to perform action 'Microsoft.Media/mediaservices/assets/write' over scope '/subscriptions/xx/resourceGroups/xx/providers/Microsoft.Media/mediaservices/itskssearchmediadev/assets/ignite-mp4-20220207-192422' or the scope is invalid. If access was recently granted, please refresh your credentials.
What else permission do I need to provide?
Note: I also tried with my personal a/c which has full access, it works there.
The Storage Account Contributor role permits management of storage accounts (e.g., creating and deleting storage accounts), but it does not permit access to data in the storage account.
To allow Media Services to write to the storage account, the Managed Identity must be granted a role that has access to the storage account data, for example, Storage Blob Data Contributor.
I am trying to create a transfer job in Data Transfer, to copy all files in a bucket belonging to one account to an existing bucket belonging to another account.
I get access to both source and destination buckets, I get "green light" in the wizard, but when I try to run the transfer job I get the following error message:
To complete this transfer, you need the 'storage.buckets.setIamPolicy'
permission for the source bucket. Ask the bucket's administrator to
grant you the required permission and try again.
I have tried to apply various roles to the user runnning the transfer job, but I can't figure out how to overcome this problem.
Can anyone help me on this?
This permission storage.buckets.setIamPolicy can be granted with either roles/storage.legacyBucketOwner or roles/iam.securityAdmin role. It could be needed to keep the permissions applied to the source object.
Permissions for copying an object:
storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)
storage.objects.get (for the source object)
storage.objects.getIamPolicy (for the source object)
storage.objects.setIamPolicy (for the destination bucket)
Please see:
Cloud IAM > Documentation > Understanding roles
Cloud Storage > Documentation > Reference > Cloud IAM roles
message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"The
bucket you tried to create requires domain ownership verification.","reason":"forbidden"}],"message":"The
bucket you tried to create requires domain ownership verification.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b","httpMethod":"POST","suggestion":"Consider
granting permissions to 1058303916595#cloudservices.gserviceaccount.com"}}'
Above is the message when I tried to create storagebuckets via Deployment Manager. I already tried adding 1058303916595#cloudservices.gserviceaccount.com to the Verified owners of that domain on the Google Search Console but still no luck
To create a Storage Bucket with domain name, your account should be a verified owner of the domain, not the cloudservices.gserviceaccount.com. Additional information can be found in Domain-Named Bucket Verification documentation.
You have to login to your domain name provider with the same account that you use to login to the Google Cloud Console. Then request a new domain name, go to Google Cloud Console App Engine page. Go to Settings and then click on Custom domains and then Add a custom domain. After adding the domain name there and verifying it, you will be able to create a bucket name using that domain as name. But make sure to do so with the same account that the domain was verified with.
We've just moved files off of a 10 year old FTP server and are now using Google Cloud Storage for our company's files. This was setup to use the web-hosting feature of GCS, and the access logging capability was also enabled.
The access logs are dumped into a bucket. I would like to deny access to this bucket, but allow them to continue using the main GCS bucket (we use Cyberduck for this).
We are presently allowing anybody with our company's email address to read/write to the buckets in this project, by giving the "Domain" the "Storage Admin" and "Storage Object Admin" permissions. This was granted through the IAM permissions.
We are transferring Google cloud storage bucket name (naked domain name) from one user to another. Since we no longer have active account, who own the bucket name, the bucket was deleted from Google cloud storage. And then recreate the same bucket name, but the console panel continue deny to create the bucket with the following error.
The bucket you tried to create is a domain name owned by another user.
It has been several days, the bucket was deleted.
In order to create a bucket that maps to a domain name, the account creating the bucket must be the registered owner of the domain name. Presumably the old account is registered as the owner of the domain. You're going to want to have the new account go through the domain verification process at Google Webmaster Tools: https://www.google.com/webmasters/tools/
Here's some more documentation about how to claim ownership of the domain name: https://support.google.com/webmasters/answer/35179