Google Cloud Storage authentication for App Engine

Question

We would like to start using Google Cloud Storage as a persistent store for user-uploaded files. Unfortunately, I can't add the App Identity (application-id@appspot.gserviceaccount.com) to our "Team" because our team is based on Google Apps for domains, and it does not allow any email addresses that are not on our domain to be on the team.

Is there a recommended way to authenticate the App Engine instance in this case?

Answer 1

Create a new team using a gmail account. Add all your team members (including the app), and delete the gmail account from the team.

Yes, it's a horrid hack. Sorry about that.

Answer 2

You can also work around this by using GSUtil to explicitly grant write access to the bucket you created so that your service account "application-id@appspot.gserviceaccount.com" have sufficient access to the bucket. By default, your bucket can't be accessed by others.

What you will need to do with GSUtil to modify your ACL on the bucket is this:

• Retrieve the bucket's ACL: gsutil getacl gs://mybucket > acl.txt

• Make changes to acl.txt such as adding an additional grant for user "application-id@appspot.gserviceaccount.com" to have write access of the bucket, see ACL doc. on how to do this: http://code.google.com/apis/storage/docs/accesscontrol.html#applyacls Specifically, it might look something like this to add to the acl.txt you downloaded:

  <Entry>
    <Scope type="UserByEmail">
      <EmailAddress>application-id@appspot.gserviceaccount.com</EmailAddress> 
      <Name>Service Account</Name> 
    </Scope> 
    <Permission>FULL_CONTROL</Permission> 
  </Entry>
  

• Update ACL on the bucket: gsutil setacl acl.txt gs://yourbucket

Hope this helps!

Answer 3

For using the Google Cloud Storage you can go through this link https://developers.google.com/storage/ and then create the new account then use.