stackoom
  简体   繁体   中英

Google Cloud Storage: How can I grant an installed application access to only one bucket?

 原文  2015-02-13 03:56:15       authorization/ google-cloud-storage/ google-cloud-platform

Question

I'm developing an application that manipulates data in Google Cloud Storage buckets owned by the user. I would like to set it up so the user can arrange to grant the application access to only one of his or her buckets, for the sake of compartmentalization of damage if the app somehow runs amok (or it is impersonated by a bad actor or whatever).

But I'm more than a bit confused by the documentation around GCS authorization. The docs on OAuth 2.0 authentication show that there are only three choices for scopes: read-only , read-write , and full-control . Does this mean that what I want is impossible, and if I grant access to read/write one bucket I'm granting access to read/write all of my buckets?

What is extra confusing to me is that I don't understand how this all plays in with GCS's notion of projects. It seems like I have to create a project to get a client ID for my app, and the N users also have to create N projects for their buckets. But then it doesn't seem to matter -- the client ID from project A can access the buckets from project B. What are project IDs actually for?

So my questions, in summary:

  1. Can I have my installed app request an access token that is good for only a single bucket?

  2. If not, are there any other ways that developers and/or careful users typically limit access?

  3. If I can't do this, it means the access token has serious security implications. But I don't want to have to ask the user to go generate a new one every time they run the app. What is the typical story for caching the token?

  4. What exactly are project IDs for? Are they relevant to authorization in any way?

I apologize for the scatter-brained question; it reflects what appears to be scatter-brained documentation to me. (Or at least documentation that isn't geared toward the installed application use case.)

4 answers

solution1
 3  2015-02-14 17:58:32

I had the same problem as you.

Go to : https://console.developers.google.com

  • Go to Credentials and create new Client ID
  • You have to delete the email* in "permissions" of your projet.
  • And add it manually in the ACL of your bucket.

*= the email of the Service Account. xxxxxxxxxxxx-xxxxxxxxx@developer.gserviceaccount.com

solution2
 0  2015-02-16 17:45:28

if you are building an app. It's Server to server OAuth. https://developers.google.com/accounts/docs/OAuth2ServiceAccount

"Can you be clearer about which project I create the client ID on (the developer's project that owns the installed application, or the user's project that own's the bucket)?"

the user's project that own's the bucket It's the user taht own the bucket who grant access.

solution3
 0 ACCPTED  2015-02-16 22:15:44

It turns out I'm using the wrong OAuth flow if I want to do this. Thanks to Euca for the inspiration to figure this out.

At the time I asked the question, I was assuming there were multiple projects involved in the Google Developers Console:

  1. One project for me, the developer, that contained generated credentials for an "installed application", with the client ID and (supposed) secret baked into my source code.

  2. One project for each of my users, owning and being billed for a bucket that they were using the application to access.

Instead of using "installed application" credentials, what I did was switch to "service account" credentials, generated by the user in the project that owns their bucket. That allows them to create and download a JSON key file that they can feed to my application, which then uses the JSON Web Tokens flow of OAuth 2.0 (aka "two-legged OAuth") to obtain authorization. The benefits of this are:

  • There is no longer a need for me to have my own project, which was a weird wart in the process.

  • By default, the service account credentials allow my application to access only the buckets owned by the project for which they were generated. If the user has other projects with other buckets, the app cannot access them.

  • But, the service account has an "email address" just like any other user, and can be added to the ACLs for any bucket regardless of project, granting access to that bucket.

solution4
 0  2015-02-16 23:21:29

About your answer.

Glad you solved your problem.

You can also reduce the access to only ONE bucket of the projet. For example, if you have several buckets and the application does not need access to all. By default, the service account has FULL access Read, write and ACL of all buckets. I usually limited to the needed bucket.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to grant access to a file to only one user How to get Bearer access token for a user account to access protected data in cloud storage bucket Authorization Code Grant: how can I get an access token when the user is not present? Google cloud storage authorization How can I limit azure app service access to specific Google users only? How to grant access to specific resources? How do I get access token inside Node.JS Google Cloud function? How to authorize google api access for installed applications (not using localhost) Uploading to google cloud storage with Node.js How do I give access token to Client's users when building BaaS? Is there an OAuth2 grant for that?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM