google cloud storage - I can't edit the permissions of my objects even though I am the project owner
I use the following Java code to add an object to google cloud storage with public read access so anyone can read the file:
try {
gcsService.createOrReplace(file, new GcsFileOptions.Builder()
.mimeType("image/jpeg")
.acl("public-read").build(),
ByteBuffer.wrap(data));
} catch (IOException ex){
// catch error
}
But when I go to cloud storage in the GCP console, I get this notification and also this error if I try to edit the permissions of the file:
Since you are not authorized to know the public access status of this object, it is possible that the public URL displayed is not valid.
Is there something I can do when I write the file to cloud storage so it has both the public-read permission and also allows me, the project owner, to have permission to edit it's permissions?
Seems kind of silly how I cannot edit the permissions of my own objects when I am the project owner.
EDIT:
I was also considering using the new cloud storage api. Here is the code I have so far. How can I make the ACL be for the project owner (me) as well as have it be publicly readable?
Storage storage = StorageOptions.getDefaultInstance().getService();
BlobId blobId = BlobId.of(bucket, object);
BlobInfo blobInfo = BlobInfo.newBuilder(blobId)
.setContentType(mimeType)
.setAcl(Arrays.asList(Acl.of(Acl.User.ofAllUsers(), READER)))
.build();
Blob output = storage.create(blobInfo, data);
The storage.buckets.getIamPolicy is used to read bucket IAM policies and storage.buckets.setIamPolicy is used to update bucket IAM policies.
The storage.objects.getIamPolicy and storage.objects.setIamPolicy permissions do not apply to buckets with uniform bucket-level access enabled. So when you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. So first check if you have enabled uniform bucket-level access / fine-grained permissions for your bucket when you created it using the various options to view bucket metadata ( except XML API)
Access to GCS resources is not recursive. Owning a project or a bucket within that project does not necessarily imply that you also have certain permissions to a specific object. Owning the bucket does imply that you can list or delete the object, but that's it. The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference. On that page, CTRL-F for other permission you're interested in and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.
And coming to how to make individual objects publicly readable, go through this Java code sample in documentation. Again, if your bucket uses uniform bucket-level access, you cannot use these steps. Instead, grant public readability to all objects in the bucket, or use signed URLs. Maybe this is the reason you are getting the error, as you have uniform-bucket-level access permissions on the bucket and you are trying out the not possibles.
- How does one make logging color in Django/Google App Engine?
- How to transfer Google Cloud project ownership?
- Can't figure out why I get App Engine flex "Uncaught Error: Call to undefined function Google\Protobuf\Internal\bccomp()"
- Migration from Container Registry to Artifact Registry for App Engine Standard Deployments
- Uploading a file Google App - Python
- gcloud not recognized as an internal or external command on Windows
- Not able to connect mysql with SSL enforced to app engine without connecting first in cloud shell
- GAE: find project name by project number
- Google Cloud Bigtable vs Google Cloud Datastore
- Can appengine files in asia.artifacts.../containers/images be safely deleted?
- Google App Engine is sending SVG with wrong mime-type
- Conflicting Errors with Google Cloud App Engine: App Already Exists But Can't Describe It
- A python web framework for google app engine
- Google Cloud Storage vs Google Cloud CDN
- gcloud.app.deploy Error Response: [13] Failed to create cloud build: invalid bucket
- Deleting a Google App Engine application
- Google App Engine slow cold boot time (Flask app)
- Why does my flex env google app engine instance have a minimum of 2 instances running, even when there is no traffic?
- JPA - When to use getTransaction() when persisting objects
- Python Headless Browser for GAE
- No api proxy found for service "memcache" GAE unittest2
- How to get the root directory of my app in google app engine?
- Install a NPM module in docker image and run it with golang app, using Google App Engine flex
- Migrate "App Engine Standard" away from"Container Registry?" (for "Artifact Registry")
- What is the best way to determine the maximum concurrent requests per instance for your App Engine or Cloud Run app?
- Do Google Cloud Task requests count towards concurrent requests in Google App Engine?
- Error migrating Google Cloud Container Registry to Artifact Registry: RESOURCE_EXHAUSTED
- Is it possible to receive email bounce notifications for google app engine - python?
- Google API - Cross platform client credential authentication
- Error during `gcloud app deploy` for GAE app: "Failed to create cloud build: invalid bucket"