gcloud backend and App Engine Standard: credentials config problem for buckets with uniform access #909
Comments
dulacp
added a commit
to dulacp/django-storages
that referenced
this issue
Jul 26, 2020
To support Uniform permissions buckets on Google Cloud Storage, we need to keep `GS_DEFAULT_ACL` to `None`, but it forces each url to be signed, which is useless since the uniform permission is usually meant to give world read access. This new parameter solves this use case reported in jschneier#783, jschneier#846 and jschneier#909
This was referenced Jul 26, 2020
mands
pushed a commit
to datapane/django-storages
that referenced
this issue
Nov 10, 2020
To support Uniform permissions buckets on Google Cloud Storage, we need to keep `GS_DEFAULT_ACL` to `None`, but it forces each url to be signed, which is useless since the uniform permission is usually meant to give world read access. This new parameter solves this use case reported in jschneier#783, jschneier#846 and jschneier#909
|
I had exactly the same problem. Thank you. |
jschneier
pushed a commit
that referenced
this issue
Nov 16, 2020
* Add a new GS_QUERYSTRING_AUTH param to avoid signing urls To support Uniform permissions buckets on Google Cloud Storage, we need to keep `GS_DEFAULT_ACL` to `None`, but it forces each url to be signed, which is useless since the uniform permission is usually meant to give world read access. This new parameter solves this use case reported in #783, #846 and #909 * Add documentation for the new parameter GS_QUERYSTRING_AUTH * Minor logic refactor to no_signed_url Co-authored-by: Pierre Dulac <dulacpier@gmail.com>
|
Hello, I believe #952, which was just merged, fixes this. Please confirm. |
Looks great. Thanks. |
mlazowik
pushed a commit
to qedsoftware/django-storages
that referenced
this issue
Mar 9, 2022
…#952) * Add a new GS_QUERYSTRING_AUTH param to avoid signing urls To support Uniform permissions buckets on Google Cloud Storage, we need to keep `GS_DEFAULT_ACL` to `None`, but it forces each url to be signed, which is useless since the uniform permission is usually meant to give world read access. This new parameter solves this use case reported in jschneier#783, jschneier#846 and jschneier#909 * Add documentation for the new parameter GS_QUERYSTRING_AUTH * Minor logic refactor to no_signed_url Co-authored-by: Pierre Dulac <dulacpier@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I recently integrated django-storages to store user-uploaded files in my personal project on App Engine Standard.
Here's what does work perfectly: if the bucket used to store files has fine-grained access policy and I set
GS_DEFAULT_ACL = 'publicRead',everything "just works". In particular, I don't seem to need to setGOOGLE_APPLICATION_CREDENTIALS– the credentials present in the App Engine environment seem to be enough to authenticate the requests.However, this does not seem to work if the bucket has uniform access policy (which could make sense to use, I want all my files in this bucket to be world-readable):
GS_DEFAULT_ACL = ‘publicRead’, the requests to GCS fail with 4xx, because we're trying to pass an ACL in the request (while the bucket is configured for uniform access policy)GS_DEFAULT_ACL = None, then django-storages seem to assume that we need to use local credentials to sign the URL and fails with the error belowIt seems that to make it possible to use buckets with uniform access policy w/o local credentials (using the ones present in the App Engine environment) it should be possible to configure django-storages so that it doesn't try to sign anything while making the request (like with
GS_DEFAULT_ACL = ‘publicRead’) but also doesn't pass the ACL when making the GCS request.in the meantime, the workaround I found to work is just to use a bucket with fine-grained access control – I wrote some more notes on this @ https://pnote.eu/notes/django-app-engine-user-uploaded-files/ .
The text was updated successfully, but these errors were encountered: