How to properly authorize request to Google Cloud Storage API?

Question

I am trying to use the Google Cloud Storage JSON API to retrieve files from a bucket using http calls.

I am curling from a Container in GCE within the same project as the storage bucket, and the service account has read access to the bucket

Here is the pattern of the requests:

https://storage.googleapis.com/{bucket}/{object}

According to the API console, I don't need anything particular as the service account provides Application Default Credentials. However, I keep having this:

Anonymous caller does not have storage.objects.get

I also tried to create an API key for the project and appended it to the url (https://storage.googleapis.com/{bucket}/{object}?key={key})but I still got the same 401 error.

How can I authorize requests to query this API?

are you using kubernetes? or is it just compute engine? – John Balvin Arias Nov 04 '18 at 21:57 — John Balvin Arias, Nov 04 '18 at 21:57

score 3 · Answer 1 · answered Nov 05 '18 at 03:59

3

The URL that you are using is not correct. The APIs use a URL that starts with https://www.googleapis.com/storage/v1/b.

Using API keys is not recommended. Instead you should use a Bearer: token. I will show both methods.

To get an access token for the gcloud default configuration:

gcloud auth print-access-token

Then use the token in your curl request. Replace TOKEN with the token from the gcloud command.

To list buckets:

curl -s -H "Authorization: Bearer TOKEN" https://www.googleapis.com/storage/v1/b

curl https://www.googleapis.com/storage/v1/b?key=APIKEY

To list objects:

curl -s -H "Authorization: Bearer TOKEN" https://www.googleapis.com/storage/v1/b/examplebucket/o

curl https://www.googleapis.com/storage/v1/b/examplebucket/o?key=APIKEY

API Reference: List Buckets

answered Nov 05 '18 at 03:59

John Hanley

74,467
6
95
159

Thanks. I came accross `gcloud auth print-access-token` but it only produces a short lived token. I am using this API within a GCP project and I would like to avoid having to implement a whole Oauth flow. – znat Nov 05 '18 at 16:32
All access tokens are short lived. Generating access tokens is fairly easy. then you authorize another one before it expires. Your other choice is to use the SDK and service account credentials - which are designed for your use case. However, you are changing the question - create a new one. – John Hanley Nov 05 '18 at 16:40
Additional item, when you use curl, your credentials are not being used. Only what you specify to curl is used. – John Hanley Nov 05 '18 at 16:42

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

If you are able to create another cluster you can obtain permission like this: Click in "avanced edit" next click in "Allow full access to all Cloud APIs"

And that's it :D

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 05 '18 at 17:22

John Balvin Arias

2,632
3
26
41

How to properly authorize request to Google Cloud Storage API?

2 Answers2

Linked