Anonymous caller does not have storage.objects.get

google-app-engine google-cloud-platform http-headers google-cloud-storage urlfetch
James Ching picture James Ching · May 25, 2019 · Viewed 33.8k times · Source

On Google App Engine (GAE) written in Python.

I am trying to issue an http post to cloud-speech-to-text api and using URI audio source (Google Cloud Storage Bucket Objects).

I am using the following headers;

Authorization: BASIC encoded_base64(username:password)

But I still keep getting an error response below:

{ "error": { "code": 403, "message": "Anonymous caller does not have storage.objects.get access to bucket_of_secrets/four_score_seven_years.flac.", "status": "PERMISSION_DENIED" } }

So I have a couple of questions;

  1. Does BASIC Authorization Header work in Google HTTP API?
  2. What username:password should I use? Is it my GCP account email and password? i.e. [email protected]:deluded_fool

Where [email protected] is the username and deluded_fool is the password.

I've tried setting the bucket objects to be public readable and of course the http call works... but I would rather avoid setting my bucket objects public readable.

Here's a sample Curl request:

curl -X POST 

https://speech.googleapis.com/v1/speech:longrunningrecognize?key=<secret_api_key> -d @sample.json -H "Content-Type: application/json, Authorization:  Basic base64encodedusername:password"

Here's a snippet in my python code using urlfetch:

url_post = urlfetch.fetch(url=speech_to_text_url_post, payload=json.dumps(data_to_post), method=urlfetch.POST, headers={"Content-Type" : "application/json", "Authorization" : "Basic "+encoded_user_password})

Answer

takryo picture takryo · May 25, 2019

1.Does BASIC Authorization Header work in Google HTTP API?

No, It is not working on Google APIs. You need to attach OAuth2.0 accessToken to Authorization Header as bearer token like Authorization: Bearer ${yourAccessToken}.

I have 2 recommendations to develop some application running on gae.

  1. Use ClientLibrary to call Google APIs.
  2. You can use AppEngineDefaultCredential to call Google APIs. Do not forget to set permissions to your AppEngineDefaultServiceAccount (${projectId}@appspot.gserviceaccount.com) before issue your request. You can configure those permissions on IAM page in cloud console.

Also I recommend you to read this page about How to authenticate your api call.

Related questions

What is the difference between Google App Engine and Google Compute Engine?

I was wondering what the difference between App Engine & Compute Engine are. Can anyone explain the difference to me?

Read More
Get root password for Google Cloud Engine VM

I just finished installing cPanel in a CentOS VM in Google Cloud Engine and cPanel said the default username is root and the default password is the server's root password. 2016-01-26 12:02:52 958 ( INFO): 3. Enter the word root in the Username …

Read More
How to use Google App Engine with my own naked domain (not subdomain)?

After hours of reading about and experimenting with DNS records I can access my Google App Engine app via these URLs: myappid.appspot.com www.myappid.myowndomain.com What does not work: myowndomain.com www.myowndomain.com I want to …

Read More