1

I granted access to certain users by their emails on my bucket, hosted on Google Cloud Storage. (like... jane@gmail.com). however, whenever that person is logged in to their gmail account on chrome, they can't access the file. it just says permission denied. what's going on?

the link i'm using is something like: http://storage.googleapis.com/my-bucket/my-object

and on my dashboard, i've DEFINITELY configured their gmail accounts to be able to access my bucket (and also even specific files).

i also tried to use the gsutil tool, as such:

gsutil acl ch -u jane@gmail.com:R gs://finance-marketing

but i keep getting some code 401 Login Required message. am i misunderstanding something? do specific users have to all download gsutil and grant themselves access somehow?

David T.
  • 22,301
  • 23
  • 71
  • 123

1 Answers1

3

When you grant access, you are granting the user permission to access the object using OAuth2 credentials. The Developers Console performs this authentication behind the scenes, but Chrome doesn't know anything about it, which is why the link you showed doesn't work.

Without granting the user access to the project itself (at which point they would be able to use the console browser), you need the user to use a tool that understands OAuth2, such as gsutil.

You could also leverage the console's behind-the-scenes OAuth2 by providing the user with a link from within the console itself, such as: https://console.developers.google.com/m/cloudstorage/b/your-bucket-name/o/your-object-name - this should work in Chrome provided the user is logged in.

Finally, another option for accessing via Chrome is to use Cookie auth as described here https://developers.google.com/storage/docs/authentication. Then you can provide a URL of the form: https://storage.cloud.google.com/your-bucket-name/your-object-name

If you choose the gsutil route, you need to run:

gsutil config

To set up gsutil to use your credentials (same goes for the user you want to grant access to).

Travis Hobrla
  • 5,411
  • 23
  • 22
  • i think the easiest is if i want to leverage OAuth2 by giving them the custom link: `https://console.developers.google.com/m/cloudstorage/b/some-bucket/o/some-file`. this just worked for a single file. however, if i want to give access to the ENTIRE bucket (and all files in it), how do i do this? i tried to grant access to my bucket, but it doesn't seem to work on new files put into that bucket. – David T. Aug 15 '14 at 21:49
  • You'll want to update the bucket's default object ACL to give someone access to all new files. See https://developers.google.com/storage/docs/accesscontrol#defaultobjects – lot Aug 15 '14 at 22:18
  • 1
    Separately, it's important to note that the bucket ACL doesn't really have anything to with accessing the actual objects in the bucket, for that each object's ACL needs to be set correctly. – lot Aug 15 '14 at 22:20
  • @lot i'm having some trouble setting up the ACL following that documentation. i decided to post it as a separate question on here: http://stackoverflow.com/questions/25393406/how-to-add-domain-to-google-cloud-storage-object-acl-at-creation will you please also take a look at that? – David T. Aug 19 '14 at 21:38