Google Cloud Storage - Set Acl for Google Compute Engine

StackOverflow https://stackoverflow.com/questions/13477669

Question

Hi I would like to change my ACL file to allow Google Compute Engine to write on my bucket

Here is what my ACL looks like:

<?xml version="1.0" ?>
<AccessControlList>
    <Owner>
        <ID>XX</ID>
    </Owner>
    <Entries>
        <Entry>
            <Scope type="GroupById">
                <ID>XX</ID>
            </Scope>
            <Permission>FULL_CONTROL</Permission>
        </Entry>
        <Entry>
            <Scope type="AllUsers"/>
            <Permission>READ</Permission>
        </Entry>
        <Entry>
            <Scope type="UserByEmail">
                <EmailAddress>XX@appspot.gserviceaccount.com</EmailAddress>
            </Scope>
            <Permission>WRITE</Permission>
        </Entry>
    </Entries>
</AccessControlList>

Or i don't know if there is any other way to do it?

Was it helpful?

Solution 2

I added the service account in the list and it's working pretty straightforward in fact

OTHER TIPS

Compute Engine service accounts are a very clean way to get access to Cloud Storage buckets which are in the same project. No need to set ACLs on each bucket or object.

In short:

host$ gcutil addinstance reader --service_account_scopes=storage-rw
<output elided...>
host$ gcutil ssh reader
<output elided...>
reader$ gsutil ls gs://YOUR_BUCKET
<outputs the list of objects in your bucket>

...where YOUR_BUCKET is a Cloud Storage bucket in the same project as Compute Engine. Scope aliases for Cloud Storage are: storage-r, storage-w, storage-rw, and storage-full.

If you want to enable access across projects, you can do this by adding the email address of the service account of the GCE project to the Google Storage resources (bucket/object) from another project. The easiest way to find the email address of your service account is to execute this inside of the GCE instance launched as above:

reader$ curl -s http://metadata/0.1/meta-data/service-accounts/default | python -mjson.tool
{
    "scopes": [
        "https://www.googleapis.com/auth/devstorage.read_only"
    ], 
    "serviceAccount": "abc123.default@developer.gserviceaccount.com"
}

Details here: https://developers.google.com/compute/docs/authentication

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top