Why is it possible to list files in a Storage bucket without credentials?
348 views
Skip to first unread message
Stephan Mühlstrasser
Aug 28, 2018, 6:18:56 PM8/28/18
to Google Cloud Developers
Hi,
I started to learn the Google Cloud APIs, and I wrote a first Go program that successfully reads files from a Storage bucket on Linux. It gets the location of the application credentials JSON file via the environment variable GOOGLE_APPLICATION_CREDENTIALS.
I then wrote another sample in JavaScript that lists the files in a bucket. I'm very sure that this sample program knows nothing about the application credentials file, as I didn't set the GOOGLE_APPLICATION_CREDENTIALS variable when executing it. Neverthelesss the program can list files from the bucket.
How is that possible? Is the authentication somehow cached per user?
Thanks
Stephan
I started to learn the Google Cloud APIs, and I wrote a first Go program that successfully reads files from a Storage bucket on Linux. It gets the location of the application credentials JSON file via the environment variable GOOGLE_APPLICATION_CREDENTIALS.
I then wrote another sample in JavaScript that lists the files in a bucket. I'm very sure that this sample program knows nothing about the application credentials file, as I didn't set the GOOGLE_APPLICATION_CREDENTIALS variable when executing it. Neverthelesss the program can list files from the bucket.
How is that possible? Is the authentication somehow cached per user?
Thanks
Stephan
Jordan (Cloud Platform Support)
Sep 2, 2018, 6:21:47 PM9/2/18
to Google Cloud Developers
It depends where you ran your application from e.g a Google Cloud service. Some Google Cloud services like App Engine and Compute Engine already have the environment variables configured to use the default service account for OAuth. You can do a 'printenv' command in your Linux environment to see all of the set environment variables in order to confirm.
It also depends on the ACL permissions of the bucket and objects in your Google Cloud Storage. If your bucket permissions contains the allUsers member, than it is publicly accessible to the internet without needing any authentication.
Stephan Mühlstrasser
Sep 3, 2018, 5:48:22 PM9/3/18
to Google Cloud Developers
I'm indeed testing this from a virtual machine in Google Compute Engine, but I cannot see any environment variable in the shell that could be related to OAuth authentication:
$ printenv | awk -F= '{ print $1 }'
LS_COLORS
SSH_CONNECTION
LANG
EDITOR
SSH_AUTH_SOCK
USER
GOPATH
PWD
HOME
GOROOT
SSH_AGENT_PID
SSH_CLIENT
SSH_TTY
MAIL
TERM
SHELL
SHLVL
LOGNAME
PATH
_
OLDPWD
I also checked the bucket and files permissions, and none of them has the "allUsers" member. I tested again with another small sample application and I even can download files from the bucket without providing the credentials file:
$ cat dlimg.js
const filename = "wc-1534080999.jpg";
const bucketName = "webcamstore";
console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS);
const storage = require('@google-cloud/storage') ({projectId: 'WebCam'});
const bucket = storage.bucket('webcamstore');
const options = {
// The path to which the file should be downloaded, e.g. "./file.txt"
destination: filename,
};
// Downloads the file
storage
.bucket(bucketName)
.file(filename)
.download(options)
.then(() => {
console.log(
`gs://${bucketName}/${filename} downloaded to ${filename}.`
);
})
.catch(err => {
console.error('ERROR:', err);
});
$ node dlimg.js
undefined
gs://webcamstore/wc-1534080999.jpg downloaded to wc-1534080999.jpg.
"undefined" shows that the environment variable GOOGLE_APPLICATION_CREDENTIALS is not set when the program is run.
$ printenv | awk -F= '{ print $1 }'
LS_COLORS
SSH_CONNECTION
LANG
EDITOR
SSH_AUTH_SOCK
USER
GOPATH
PWD
HOME
GOROOT
SSH_AGENT_PID
SSH_CLIENT
SSH_TTY
TERM
SHELL
SHLVL
LOGNAME
PATH
_
OLDPWD
I also checked the bucket and files permissions, and none of them has the "allUsers" member. I tested again with another small sample application and I even can download files from the bucket without providing the credentials file:
$ cat dlimg.js
const filename = "wc-1534080999.jpg";
const bucketName = "webcamstore";
console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS);
const storage = require('@google-cloud/storage') ({projectId: 'WebCam'});
const bucket = storage.bucket('webcamstore');
const options = {
// The path to which the file should be downloaded, e.g. "./file.txt"
destination: filename,
};
// Downloads the file
storage
.bucket(bucketName)
.file(filename)
.download(options)
.then(() => {
console.log(
`gs://${bucketName}/${filename} downloaded to ${filename}.`
);
})
.catch(err => {
console.error('ERROR:', err);
});
$ node dlimg.js
undefined
gs://webcamstore/wc-1534080999.jpg downloaded to wc-1534080999.jpg.
"undefined" shows that the environment variable GOOGLE_APPLICATION_CREDENTIALS is not set when the program is run.
Jordan (Cloud Platform Support)
Sep 3, 2018, 10:18:30 PM9/3/18
to Google Cloud Developers
Since you are using Google Compute Engine (CGE), the Compute Engine default service account is saved in the VM's metadata server (a webserver that is local to the VM and is only accessible from within the VM).
Google APIs that you run in the VM will check if they are running in a GCE VM by accessing the metadata server, and use the default service account listed there if no other service account or OAuth method is specified (like in your code).
- You can see the Compute Engine default service account by SSHing into your VM and then running the following command:
curl -H "Metadata-Flavor:Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
Stephan Mühlstrasser
Sep 4, 2018, 5:10:10 PM9/4/18
to Google Cloud Developers
Thanks, I can see the service account with the curl command that you sent, and I also found the relevant documentation now.
Reply all
Reply to author
Forward
0 new messages