Search code examples
phpgoogle-cloud-storagebatch-processing

php: google cloud batch operations not sending authentication headers

I'm having problems getting Google Cloud batch operations authenticated, using the PHP library. I specifically am trying to do batch deletion of Cloud Storage objects. I am setting things up like so:

use Google\Cloud\Storage\StorageClient;

$config = [
            'projectId' => <MY Project ID>
            'keyFile'  => json_decode(file_get_contents( <my json key file> ), true)
          ];
$google_client = new Google_Client($config);
$google_client->setUseBatch(true);

$delete_batch_storage_client = new Google_Service_Storage($google_client);

$delete_batch = new Google_Http_Batch($google_client, false, NULL, "batch/storage");


$storage_client = new StorageClient($config);
$bucket = $storage_client->bucket(<my bucket name>);

$params = [
    'prefix' => <my image path>,
    'fields' => 'items/name, items/size, items/updated'
];

foreach ( $bucket->objects($params) as $object )
{
    $delete_batch->add($delete_batch_storage_client->objects->delete($bucket->name(), $object->name()));
}

$result = $delete_batch->execute();

The result of the batch->execute() says:

"Anonymous caller does not have storage.objects.delete access to the Google Cloud Storage object."

Dumping out some debug information on the batch that is created, I can see no authentication headers either at the top level, or at the individual delete call level. Having initialized the Google_Client with my service account, and then the StorageClient with the same information, It seems like the authentication header should have been inserted at one level or the other. My service account has the following roles:

Editor
Firebase Service Management Service Agent
Owner
Service Account Token Creator
Service Account User
Viewer

I would expect that either Owner or Editor would be sufficient permissions, so what am I missing in my setup?

Solution

  • Ok, so I seem to have stumbled onto the (a?) solution. In addition to calling setUseBatch on the Google_Client object, adding these lines after "$google_client->setUseBatch(true);":

    $google_client->setAuthConfig( <path to json file> );
$google_client->setScopes( [ 'https://www.googleapis.com/auth/cloud-platform' ] );

    Seems to have done the trick.