Search code examples
google-cloud-platformcredentials

Why can I still access object listing of a Google Cloud private bucket

I made a bucket in cloud storage in a Google Cloud private bucket (preventing all public access). I am new to Google Cloud so this is some tests I am doing. I created service account credentials key to get storage access while developping. At some point I realise I can list the objects of the bucket using nodejs locally even if I deactivate the service account credentials in GCP console and in code.

So I am getting the credentials from somewhere else since I cant list the bucket objects on another computer...

I am trying to find where I am getting credentials from...

I deleted gcloud default configuration files. Removed all gcloud auth accounts, no credentials when I list them.

But I can still list the private bucket objects locally in node.

There is an appengine app in this gcp project.

Here is my nodejs code:

const {Storage} = require('@google-cloud/storage');
const path=require("path");


const googleCloudProject=process.env.GOOGLE_CLOUD_PROJECT;
const storage = new Storage({
    //keyFilename:path.join(__dirname,"./phrasal-method-392523-57b015679652.json"),
    //projectId:process.env.GOOGLE_CLOUD_PROJECT
});

const bucketName = process.env.GCLOUD_STORAGE_BUCKET;

async function listFiles() {
    // Lists files in the bucket
    try{
        console.log(bucketName);
        const [files] = await storage.bucket(bucketName).getFiles();
        console.log(files[0].name);
    }catch(error){
        console.log("ERROR!!:"+error);
        //res.statusCode(500).send("Error occured");
    }   
  }

  
 
 
listFiles();

The json credentials file is commented...

Thank you and have a nice day!

Solution

  • I recommend you to learn more about ADC on Google Cloud

    ADC is a standard mechanism used by the Google Cloud client libraries to find automatically the credentials in the runtime environment when you don't mention explicitly a service account key file. And because you are learning Google CLoud, start by avoiding the service account key file, it's a bad practice that create security breaches in your dev cycle.

    • ADC starts by searching the GOOGLE_APPLICATION_CREDENTIALS env vars to use it
    • If not present, it test if the metadata server is present (All Google Cloud Services offer metadata server that serve credential of your runtime service account) -> Work only if you run your code on Google Cloud
    • If not, it looks in the "well known location", especially to look if you performed, previously, a gcloud auth application-default login to create a JSON file in your current runtime environment (your workstation) with your own user credential information

    In bonus, keep that in mind

    • gcloud auth application-default login create a credentials file in your file system and it is used when you run code with client libraries
    • gcloud auth login create a credentials file in your file system and it is used when you use the gcloud command line