I have a simple Python web app that creates a Google Cloud Project on behalf of a user. It then creates a Storage Bucket and finally uploads a CSV file to the Storage Bucket via the JSON API.
My problem is after the the job is complete the user is unable to access the CSV file or even upload their own files to the Storage Bucket.
I think I have to set the IAM Permissions but reading through the documentation I cannot work out how.
In order to be able to read an specific file you can set the role at object level by using the ObjectAccessControls insert API call:
POST https://storage.googleapis.com/storage/v1/b/__bucket__/o/__object__/acl
Replacing __bucket__ with the name of the bucket and __object__ with the name of the file. And send the next request body properties:
entity user-email@email.com
role READER
If you want to allow the user to overwrite the file change the role property into OWNER.
If you want to allow the user to upload a totally different file into your bucket you would need to set the role to WRITER at bucket level by using the BucketAccessControls insert API call, however this might not be want you want since this will allow the next permissions to the user:
READERs can get the bucket, though no acl property will be returned, and list the bucket's objects. WRITERs are READERs, and they can insert objects into the bucket and delete the bucket's objects.