3

I'm at a loss here. My node code successfully uploaded files to gcloud Storage but can't seem to make the file public or even change the acl.

Fact is that the file was written in gcloud storage, but can't make the same file Public.

The error returned is

{ [ApiError: Insufficient Permission] errors: [ { domain: 'global', reason: 'insufficientPermissions', message: 'Insufficient Permission' } ], code: 403, message: 'Insufficient Permission', response: undefined }

Here's my code (assume that this code is within a STREAM ergo the stdout.pipe)

var gcs = GLOBAL.gcloud.storage();
var bucket = gcs.bucket(GLOBAL.storage_names.products);
var file = bucket.file('images/'+targetValue+'_'+filename);
stdout.pipe(file.createWriteStream())
  .on('error', function(err) {
    var msg = {
      "status":"Error"
      "err":err
    };
    console.log(msg);

  })
  .on('finish', function() {
    // The file upload is complete.
    console.log("Successfully uploaded "+targetValue+'_'+filename);
    file.acl.add({
      entity: 'allUsers',
      role: gcs.acl.READER_ROLE
    }, function(err, aclObject) {

      if(err==null)
      {
        //stream upload file
        file.makePublic();
      }else{
        console.log("ERROR in ACL Adding");
        console.log(err)
      }

    });
    file.makePublic(function(err, apiResponse) {
      if(err==null)
      {
        console.log("File made public");
      }else{
        console.log("make public error");
        console.log(err);
      }
    });
  });
Zachary Newman
  • 20,014
  • 4
  • 39
  • 37
andrew
  • 61
  • 1
  • 5

1 Answers1

4

While the code doesn't show the problem outright, this may help: WRITER bucket permission can create objects, but you need OWNER object permission to change ACLs on existing objects. Also, the creator of an object isn't automatically granted OWNER object permission (even if they are an OWNER of the bucket) - if you don't specify a predefined ACL when you create the object, Google Cloud Storage always applies the bucket's default object ACL to the newly created object.

So two possible fixes are (1) set the default object ACL on the bucket ahead of time to include your application credentials as OWNER or (2) provide a predefined ACL (such as 'publicRead') at object creation time instead of changing it afterward.

Adam
  • 5,697
  • 1
  • 20
  • 52
  • I'll think I'll try your second recommendation. I do have to point out though that this code resides in a compute engine and I thought that once you get permission for GLOBAL.gcloud (like so) GLOBAL.gcloud = require('gcloud')({ projectId: 'project_name_String' }); that you already have read/write permissions on the bucket. I'll post the code revision if it works (I also have to read more of the documentation to get a grasp of what you told me for (2)) – andrew Dec 14 '15 at 01:46
  • A work around I did was to set the bucket object default for allUsers as Read(able). So this means that the bucket itself is still secure, and the object written has a default of public readable. – andrew Dec 14 '15 at 04:02
  • Thanks to @Adam answer. In my case when we Logged into gcloud console and clicked on Kubernetes it shows a list of permissions which it has, this is taken from user persmissions, keep modifying the user permissions untill the cluster has the right access Ref : https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions https://cloud.google.com/storage/docs/authentication [scopes] – supermonk Mar 06 '19 at 06:03