New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Storage] "No project ID was provided" error adding notification to just-created bucket #1079
Comments
Thanks for the report @zynyz, If you inspect the credentials file being used in your client, does it include a project ID? I believe newer credentials should include this, but in legacy situations it may not be included. If not, there are two options that should work here, Include the project ID explicitly when you instantiate the storage client: $storage = new StorageClient([
'projectId' => 'my-project'
]); or use a fully qualified topic name, which includes your project ID: $notification = $bucket->createNotification('projects/my-project/topics/my-topic'); Please let me know if this helps :). |
Hi @dwsupplee - Okay, it turns out the project ID was not getting set in my test rig. But, the project ID is in the credentials file (for a service account, in JSON format). I guess my big question is "how did the bucket creation work?" Are there certain actions you need an explicitly-set project ID to do? |
Interesting, which method are you using for authentication? I would imagine we should be able to detect the project ID on your behalf given that, this may be something we need to look at fixing.
Generally speaking, the Storage API doesn't require knowledge of the project ID. Creating a notification is an exception because the request requires the fully qualified topic name. |
Hey, thanks for the quick response. I'm not sure what you mean by auth method. I'm just calling
Okay, that makes sense. |
Perfect, thanks 👍. What I meant by authentication was whether you were using an environment variable, application default credentials, or explicitly passing in your keyfile (as it looks like you are). |
Actually, I also have the $GOOGLE_APPLICATION_CREDENTIALS env var set. I had completely forgotten about that. It points to a different keyfile, one that does not have a project ID. I take it one is overriding the other? |
If you supply a keyfile to the client explicitly, it should take priority over the environment variable. The order of precedence is outlined here. |
I've been working more on this, and now the error that comes back from createNotification() is
This is confusing, since that account does not even exist in our project. The account I'm using is
which has Owner access. The topic does exist. This seems to be related to this issue: https://github.com/GoogleCloudPlatform/google-cloud-common/issues/231 which doesn't seem to have a clear resolution. Any help walking through this minefield would be very much appreciated. |
Hi, in my experience I created notification topic manually from google cloud console and for that topic I manually added (from console) publisher pub/sub permission to [project-name]@gs-project-accounts.iam.gserviceaccount.com account. |
@zynyz, You're right, we should definitely make this more clear. I am working on some updates which will improve this story. In the meantime @illambo's helpful suggestion will do the trick, or you can do the same through code with the following: If you've installed just the Storage component so far, you'll want PubSub as well: compose require google/cloud-pubsub Now we can update the IAM bindings through code to grant Storage access to publishing to your topic: require 'vendor/autoload.php';
use Google\Cloud\PubSub\PubSubClient;
use Google\Cloud\Storage\StorageClient;
$topic = 'my-topic';
$projectId = 'my-project';
$bucket = 'my-bucket';
$topicIam = (new PubSubClient())
->topic($topic)
->iam();
$policy = $topicIam->policy();
// Add permissions for the service account associated with Storage to publish to your topic
$policy['bindings'] = [
[
'role' => 'roles/pubsub.publisher',
'members' => [
'serviceAccount:' . $projectId . '@gs-project-accounts.iam.gserviceaccount.com'
]
]
];
$topicIam->setPolicy($policy);
$notification = (new StorageClient())
->bucket($bucket)
->createNotification($topic, [
'event_types' => 'OBJECT_FINALIZE'
]); |
When doing this, using the same project ID and keyfile, I get an error PERMISSION_DENIED / "User not authorized to perform this action." My code is just like yours.
No offense, but this is not unclear, it's extremely obscure. It doesn't make any sense that this should be necessary. With the same service account, I've created the bucket and created the topic. It seems reasonable that the bucket should already have perms to send notifications to the topic. Honestly, this is something the API should take care of. If I use gsutil, it will add the proper permissions automatically (and silently). I would expect ths same behavior from the API, at least as an option. I apologize if I come off as flamey here, but I'm a little frustrated about all this. |
I can empathize with the frustration. Apologies this has been a blocker. We'll make sure we get the method updated to include a sample on how to update the IAM policy to grant Storage the ability to send notifications to the topic.
I am definitely open to this. @frankyn does this seem like a feature that would be reasonable from the client libraries?
Could you verify the service account being used has the correct permissions set on the topic? This can be done here. If you haven't already taken a look, the prerequisites section for registering notifications should provide a little more detail. |
The service account has Editor permissions - it's just the default service account for the project. My test code creates the topic, creates the bucket, then attempts to add a notification, so it's all using the same account. The code is blowing up on the call to get the existing policy, so it's not even a problem setting the policy. According to this page, I need roles/owner perms to see the policy for a topic I just created with roles/editor perms. Is that actually the case? |
Yes it is correct, you need the owner or admin role in order to modify/view IAM. |
Then how come I can do this via gsutil using the same account? |
I tried the replicate and found the following: Using gsutil with a service account which has the project editor role: gsutil notification create -t projects/my-project/topics/my-topic -f json gs://my-bucket failed with When you run |
returns
Without the -s option, gsutil creates the notification successfully. Service account I'm using gsutil v 4.28, if that helps any. |
That makes sense, and explains why the PHP code is failing. After updating the permissions for that account you should be good to go.
My understanding is this is a service account used by the Storage "backend". It isn't something you need to worry about having control over, it just needs permissions to your topic. |
Okay, I understand the problems, but the whole thing is pretty confusing. I really hope the docs can get updated with a clear explanation of the situation and the pitfalls. If this whole business could get wrapped into createNotification(), that would be beyond terrific. Thanks for all your help. |
Hello everyone. Is it correct that format of Google Cloud Storage service accounts was changed? It was - " [project-name]@gs-project-accounts.iam.gserviceaccount.com", and currently it is "service-[projectId]@gs-project-accounts.iam.gserviceaccount.com". I used json-format for topic-resource, something like that - So, how can this service account name be fetched by deployment manager dynamically during the creation of deployment? |
Acking I missed this issue. Will look over. Apologies for the delay. |
@nazarkazymov-devpronet I just opened #1173 which should allow you to programmatically fetch the service account. Please take a look when you have a moment and let me know if it achieves what you're looking for. |
@dwsupplee thank you, sorry for some misunderstanding, |
Thanks for the clarification @nazarkazymov-devpronet :), sorry for the confusion. As you mentioned, this repository is more focused on the PHP client libraries and unfortunately may not be the best place to find answers to your question. We actively monitor StackOverflow if you'd like to try posting the question there. Alternatively, @frankyn might be able to help out and he's a Storage expert :). |
@frankyn Can you help me, please with this question about storage service account ? |
@nazarkazymov-devpronet responded to your question. You were caught in-between the old and the new format for the GCS service account. Reading over the other bits of this issue now. |
@dwsupplee, I think it would be helpful to outline an example of setting up a GCS PubSub notification in PHP client library documentation instead of performing the whole action on behalf of the user. Now that That is one option, the better solution would be to put this on cloud.google.com/storage/docs, but that will take some time to do. @nazarkazymov-devpronet you can also generate the GCS service account using the API explorer for |
@frankyn I see. Unfortunately I don't use any client API, I want to create a topic resource using Deployment Manager and python resource file. And If I understand correctly is it impossible to call API explorer from this python resource files? I have to hardcode project's name or project's id in string parameters for now and can't call getServiceAccount: API. |
I missed that, what I'd recommend is try providing the new format in your Resource Manager configuration without calling getServiceAcount. Please let me know if this still blocks you. I don't expect it to change anytime soon, but I can understand frustration of it being updated and potentially breaking things in the future. |
I've got it. Thank you very much for your explanation. |
Oh btw, you can also gsutil tool for the project you're using resource manager with:
|
@nazarkazymov-devpronet can we close this issue? |
@frankyn Let's please leave this open, as it will be used to track the updates to the documentation. |
from my side (and what about just my problem ) I don't have any questions, thank you all guys. |
Sgtm @dwsupplee! Thanks @nazarkazymov-devpronet! |
I'm creating a bucket, then trying to set a notification on it. The bucket is created fine, CORS is set fine, but when I try to add the notification, it throws an exception with "No project ID was provided, and we were unable to detect a default project ID."
My code (simplified):
Am I doing something wrong here?
The text was updated successfully, but these errors were encountered: