Google could storage patch is forbidden with http 403 response - patch

I am using a service account to access a cloud storage bucket to add/list/remove file and update meta data. The service account is in the same project and cloud bucket. I set service account as owner for the project team.
I am using the java API from google
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>${google.version}</version>
</dependency>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-storage</artifactId>
<version>v1-rev2-1.18.0-rc</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client-jackson2</artifactId>
<version>${google.version}</version>
</dependency>
With the code, I can add/delete/list/download, but when I update the meta data with patch command, I got a 403 forbidden response,
I go to the cloud storage browser to check permission. All the permissions are listed by cloud storage ID. I can not find out cloud storage ID for my service account. But there is an extra entry as owner besides editor, owner, and team. I assume that it is my service account.
Any suggestions?
thanks

Need StorageScopes.DEVSTORAGE_FULL_CONTROL permission. Read and Write is not enough to modify meta data. This is not documented anywhere. I found this out in a hard way

Related

There was an error granting Firebase Service Agent access to your secret

I am facing an error while installing an Algolia extension into my firebase project.
Error-
When I click on the "Create secret" button, the error below is visible
Only admin can add Key. Check your project permission
When installing the extension it will ask you to enable the secrets API, what this does is enables the Secrets Manager API from google cloud (what firebase is built on top of). You can manually check this is enabled with the below URL, and if its not - enable it.
https://console.cloud.google.com/apis/api/secretmanager.googleapis.com/overview?project=YOUR_PROJECT_ID
As with all google cloud API's, when you enable them it takes a few minutes for the changes to propagate. Try again in ten minutes, and you will find your error is resolved, you're able to create the secret, and you can install the extension.

authorization and authentication mechanism in GCP

I want to create a Udemy like video platform where a user can see all videos but can watch videos only that he has purchased.
I am making a rest call to get the videos from the storage bucket from an angular application, using Firebase authentication here. In my GET request to storage bucket I am passing the access token that I got from Firebase authn.
Does this access token can be used to determine scope of the user to access video in a bucket?
Assume if I have given read access for a video in a bucket for a specific user, using the access token can I get the video? But every time I tried it shows unauthorized. Is there any other way to verify users access to storage bucket object.
Google recommend to not use ACL because it's hard to manage and to have a global view on the authorization.
In most cases, Cloud Identity and Access Management (Cloud IAM) is the recommended method for controlling access to your resources.
Caution: Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
IMO, the best pattern is to have a database on your side with the file on GCS allowed per user. You can store these in Firestore: affordable, pay as you use, generous free tier. For downloading the video, you can generate a temporarily access to the user by generating a signedUrl.
As per mention Guillaume Cloud Storage use the ACL pattern in order to have a control to the access of the resources stored in their buckets.
Nevertheless, when you need to storage wide objects per user in this case a video, you can store these in Firestore: affordable, pay as you use, generous free tier. This is a very suitable option since Firestore can use as another resource
Is recommended for this scenario generate a signed URL

Data access audit log firebase

How do to enable data access log and audit log for Firebase. In GCP Platform, I am able to see audit log and data access log for cloud datastore. How do we enable the same in firebase?
I have few tables in firebase, client is complaining of few calls not being serviced and has got the error in connecting. 3 requests failed out of 821 requests.
This feature is available for firebase firestore now.
https://cloud.google.com/firestore/docs/audit-logging
Need to enable IAM audit log for Firebase API and that helps in tracking the firebase activities.
There is no accessible data access log for the Firebase Realtime Database. If you can reproduce the problem, you might want to reach out to Firebase support to see if they can find the missing client calls in their logs.

How to get firebase real-time database usage programmatically

Is there any API available for getting real-time database usage.
We need to show usage and related info on our dashboard and my client don't want to visite firebase consol and option for the upgrade or downgrade plan programmatically
There is currently no API for this. You may file a feature request here.

How to access alfresco cloud repository using cmis?

I am new to alfresco. I have alfresco cloud account and I want to access content in cloud repository. But I unable to figure out repository url for same.I need repository url format to connet to alfresco cloud account.
Thanks in advance.
The URL for CMIS 1.0 and the AtomPub binding is:
https://api.alfresco.com/cmis/versions/1.0/atom
You may also be able to use CMIS 1.1, just change the version number. I believe the browser binding may now be supported on Alfresco in the cloud. To try it, just change /atom to /browser.
Alfresco in the cloud uses OAuth so you'll need to do the "OAuth dance" to exchange your API key and secret for a bearer token. There are multiple OAuth clients available that will work with Alfresco in the cloud. For an example of how to use the Google OAuth client you might want to look at this project on Google Code.
If you don't have an Alfresco in the cloud API key you can get one for free from https://www.alfresco.com/develop/cloud/signup.

Resources