bug-1881575: only require objectUser permissions for GCS (#1001)

antenna/ext/gcs/crashstorage.py

@@ -103,7 +103,7 @@ def _save_file(self, path, data):
         :arg bytes data: the data to save
 
         """
-        bucket = self.client.get_bucket(self.bucket)
+        bucket = self.client.bucket(self.bucket)
         blob = bucket.blob(path)
         blob.upload_from_string(data)
 
@@ -115,7 +115,7 @@ def _load_file(self, path):
         :returns: data as bytes
 
         """
-        bucket = self.client.get_bucket(self.bucket)
+        bucket = self.client.bucket(self.bucket)
         blob = bucket.blob(path)
         return blob.download_as_bytes()
 
@@ -126,8 +126,9 @@ def verify_write_to_bucket(self):
     def check_health(self, state):
         """Check GCS connection health."""
         try:
-            # get the bucket to verify GCS is up and we can connect to it.
-            self.client.get_bucket(self.bucket)
+            # check if a blob exists to verify GCS is up and we can connect to it,
+            # without exceeding the permissions granted by roles/storage.objectUser
+            self.client.bucket(self.bucket).blob(generate_test_filepath()).exists()
         except Exception as exc:
             state.add_error("GcsCrashStorage", repr(exc))
 

tests/unittest/test_gcs_crashstorage.py

@@ -97,7 +97,7 @@ def test_missing_bucket_halts_startup(self, client, gcs_helper):
     @patch("google.cloud.storage.Client")
     def test_write_error(self, MockStorageClient, client):
         mock_client = MockStorageClient.return_value
-        bucket = mock_client.get_bucket.return_value
+        bucket = mock_client.bucket.return_value
         good_blob = Mock()
         bad_blob = Mock()
         bad_blob.upload_from_string.side_effect = Unauthorized("not authorized")