Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCS config for ActiveStorage requires presence of file gcs.keyfile #31586

Closed
Artur-Sulej opened this issue Dec 28, 2017 · 5 comments
Closed

GCS config for ActiveStorage requires presence of file gcs.keyfile #31586

Artur-Sulej opened this issue Dec 28, 2017 · 5 comments

Comments

@Artur-Sulej
Copy link

Steps to reproduce

File storage.yml contains example configurations for S3 and GCS:

# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
# amazon:
#   service: S3
#   access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
#   secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
#   region: us-east-1
#   bucket: your_own_bucket

# Remember not to checkin your GCS keyfile to a repository
# google:
#   service: GCS
#   project: your_project
#   keyfile: <%= Rails.root.join("path/to/gcs.keyfile") %>
#   bucket: your_own_bucket

To configure S3 you just need to fill values in yaml and you can do it conveniently via Rails.application.credentials. GCS configuration is more troublesome as it requires a path to file in keyfile and this file needs to be uploaded without the usage of VCS. It creates a problem in services like Heroku, where all files come only from VCS.

Expected behaviour

That would be great if there was a key for the value of gcs.keyfile, for example keyfile_json instead of keyfile which requires path of gcs.keyfile.

System configuration

Rails version: 5.2.0.beta2

Ruby version: 2.4.2
@georgeclaghorn
Copy link
Contributor

georgeclaghorn commented Dec 28, 2017
edited

You can provide a Hash of keyfile data:

gcs:
  service: GCS
  credentials:
    type: "service_account"
    project_id: ""
    private_key_id: ""
    private_key: ""
    client_email: ""
    client_id: ""
    auth_uri: "https://accounts.google.com/o/oauth2/auth"
    token_uri: "https://accounts.google.com/o/oauth2/token"
    auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs"
    client_x509_cert_url: ""
  project: ""
  bucket: ""

@Artur-Sulej
Copy link
Author

Google::Cloud::PermissionDeniedError: forbidden: <client_email> does not have storage.buckets.get access to <bucket_name>.
Why does it require permission to list all buckets if I only need to manage files in one bucket?

@vincentwoo
Copy link

I agree that the default permissions required for activestorage on GCS seem weird.

@guycall
Copy link

guycall commented Aug 17, 2020

@hot-cheese I just hit the same problem. It appears to be due to the design of google-cloud-ruby client and not activestorage - googleapis/google-cloud-ruby#1588 (comment)

@vincentwoo
Copy link

It seems that the underlying library has committed an option to skip the need for list_bucket permissions:

bucket = storage.bucket "some-bucket", skip_lookup: true

See: googleapis/google-cloud-ruby#1588 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@georgeclaghorn @guycall @vincentwoo @Artur-Sulej