Google Cloud Storage - Rails web app - different buckets and different access keys for different environments

Question

I plan to use a cloud based storage service to store some static user-uploaded content of my web application. I have settled upon Google Cloud Storage for now.

My web application is Rails, and I am using Paperclip with fog to connect to Google Cloud Storage.

I understand that I need to use the Interoperable Storage Access Keys in the fog config to connect to my bucket. Any additional key I add is given access to all the buckets.

I want to have a separate bucket per environment (development, staging and production). I want to have separate access and secret keys, with each key having access to only one bucket.

Basically, I don't want to put my production keys in my web-app source code, which all developers will have access to.

I read the Google Cloud Storage documentation on ACLs, but I could not find out how to achieve what I want.

I can't imagine that others wouldn't have had the same kind of requirement. Maybe I am using the wrong search terms, but I cannot get any info about this.

I would appreciate some help.

P.S. - Is what I want possible on AWS S3? I am open to switching to S3 if this is possible on it.

Answer 1

The normal solution for something like this would be to have 3 service accounts (development-app, staging-app, production-app), each of which would have its own set of credentials and permissions. You could either have a test, staging, and production project, or you could just have test, staging, and production buckets within a single project. You can create a whole range of per-project service accounts, each with its own set of credentials and permissions.

Unfortunately, interoperable storage access keys are not available for service accounts, only regular Google user accounts. In order to do what you want, you'd need to have three user accounts, each of which was granted access to exactly one of those buckets.