unable to make service-authenticated calls from AppEngine to Cloud Storage
94 views
Skip to first unread message
Alexey
May 15, 2016, 10:09:09 PM5/15/16
to Google App Engine
I have an App Engine Java application with billing enabled that I am now trying to integrate with Cloud Storage. The idea is for the application to archive files in Cloud Storage when processing certain queue jobs. I have gone over numerous pieces of documentation and followed directions as best I could, making use of Google Service Client and Storage JSON API client libraries, I have created a single bucket so that the app create objects in it. The problem is that I can't seem to establish trust between App Engine and the bucket. Here is some relevant code:
final Collection<String> scopes = Arrays.asList(StorageScopes.DEVSTORAGE_READ_WRITE);
final String appName = "graph-wars";
final HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
final JsonFactory jsonFactory = new JacksonFactory();
final HttpRequestInitializer credential = new AppIdentityCredential(scopes);
service = new Storage.Builder(transport, jsonFactory, credential)
.setApplicationName(appName)
.build();
...
final HttpTransport transport = new UrlFetchTransport();
final HttpRequest request = transport.createRequestFactory().buildGetRequest(new GenericUrl(new URL(url)));
final HttpResponse response = request.execute();
try
{
final StorageObject insertRequestObject = new StorageObject()
.setBucket(bucketName)
.setName(objectName)
.setContentDisposition("attachment");
final Storage service = getService();
final Storage.Objects objService = service.objects();
final Storage.Objects.Insert insertRequest = objService.insert(
bucketName,
insertRequestObject,
new InputStreamContent(response.getContentType(), response.getContent())
);
final StorageObject insertedObject = insertRequest.execute();
}
finally
{
response.disconnect();
}
I'm getting 403 response codes (seeing it with some debug println statements):
[s~graph-wars/69.392817061931109015].<stdout>: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 FORBIDDEN { "code" : 403, "errors" : [ { "domain" : "global", "message" : "Forbidden", "reason" : "forbidden" } ], "message" : "Forbidden" }
From the console UI and documentation, it doesn't seem like I need to be doing anything special with the project or credential. What am I missing? Any help would be appreciated. Thanks!
final Collection<String> scopes = Arrays.asList(StorageScopes.DEVSTORAGE_READ_WRITE);
final String appName = "graph-wars";
final HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
final JsonFactory jsonFactory = new JacksonFactory();
final HttpRequestInitializer credential = new AppIdentityCredential(scopes);
service = new Storage.Builder(transport, jsonFactory, credential)
.setApplicationName(appName)
.build();
...
final HttpTransport transport = new UrlFetchTransport();
final HttpRequest request = transport.createRequestFactory().buildGetRequest(new GenericUrl(new URL(url)));
final HttpResponse response = request.execute();
try
{
final StorageObject insertRequestObject = new StorageObject()
.setBucket(bucketName)
.setName(objectName)
.setContentDisposition("attachment");
final Storage service = getService();
final Storage.Objects objService = service.objects();
final Storage.Objects.Insert insertRequest = objService.insert(
bucketName,
insertRequestObject,
new InputStreamContent(response.getContentType(), response.getContent())
);
final StorageObject insertedObject = insertRequest.execute();
}
finally
{
response.disconnect();
}
I'm getting 403 response codes (seeing it with some debug println statements):
[s~graph-wars/69.392817061931109015].<stdout>: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 FORBIDDEN { "code" : 403, "errors" : [ { "domain" : "global", "message" : "Forbidden", "reason" : "forbidden" } ], "message" : "Forbidden" }
From the console UI and documentation, it doesn't seem like I need to be doing anything special with the project or credential. What am I missing? Any help would be appreciated. Thanks!
Alexey
May 17, 2016, 7:58:35 PM5/17/16
to Google App Engine
It's been a few days and I was wondering if any support folks are looking at this topic. I know you guys work super hard but want to make sure this question gets to somebody.
Nick (Cloud Platform Support)
May 20, 2016, 1:48:07 PM5/20/16
to Google App Engine
Hey Alexey,
Thanks for your patience, I just got a chance to view this thread now. From the 403 response, it appears the credentials aren't passing the ACL of the bucket. If you create a bucket within a project, it doesn't automatically grant access to the App Engine default service account which is the account that the App Identity credentials are held by. The service account's ID is something like <app-id>@appspot.gserviceaccount.com. If you can add that account with appropriate permissions to the bucket you created, the 403 should go away.
Cheers,
Nick
Cloud Platform Community Support
Thanks for your patience, I just got a chance to view this thread now. From the 403 response, it appears the credentials aren't passing the ACL of the bucket. If you create a bucket within a project, it doesn't automatically grant access to the App Engine default service account which is the account that the App Identity credentials are held by. The service account's ID is something like <app-id>@appspot.gserviceaccount.com. If you can add that account with appropriate permissions to the bucket you created, the 403 should go away.
Cheers,
Nick
Cloud Platform Community Support
Alexey
May 20, 2016, 11:15:58 PM5/20/16
to Google App Engine
Nick,
That was it -- many thanks! To recap, my error was in not realizing that <app-id>@appspot.gserviceaccount.com had to be added in "IAM & Admin" screen in the console.
That was it -- many thanks! To recap, my error was in not realizing that <app-id>@appspot.gserviceaccount.com had to be added in "IAM & Admin" screen in the console.
Nick (Cloud Platform Support)
May 24, 2016, 2:12:21 PM5/24/16
to Google App Engine
Hey Alexey,
Good to hear! Hopefully this thread can be useful for future users. We're generally trying to unify permissions and identity/access management. Feel free to open a thread any time you have a question about the services in general, and open a Stack Overflow thread any time you have a programming error or question like this one. We monitor there as well, and there are many more users who can potentially help.
Regards,
Good to hear! Hopefully this thread can be useful for future users. We're generally trying to unify permissions and identity/access management. Feel free to open a thread any time you have a question about the services in general, and open a Stack Overflow thread any time you have a programming error or question like this one. We monitor there as well, and there are many more users who can potentially help.
Regards,
Nick
Cloud Platform Community Support
Reply all
Reply to author
Forward
0 new messages