Error: Bucket Policy Only

[ntopulos]

Google Cloud Storage buckets have an option to define access control on the whole bucket instead of the per object approach:

Set permissions uniformly at bucket-level (Bucket Policy Only)
Enforces the bucket’s IAM policy without object ACLs. May help prevent unintended access. If selected, this option becomes permanent after 90 days.

Using such a bucket results in error:

Cannot use ACL API to set object policy when object policies are disabled.

Is this package compatible with these buckets?

[LorenzoSapora]

I just hit this too, I was able to upload a period ago (I don't remember, mine is a development server, so I can't place exactly when I last used the upload functionality).

But, I know nothing has changed in terms of my GCP buckets, or my GCS integration.

[LorenzoSapora]

Possibly related to this? I see that superbalist/laravel-google-cloud-storage uses superbalist/flysystem-google-cloud-storage which uses google/cloud-storage, as this stackoverflow question states.

The dates aren't exactly close (11 months) but might be something to start with.

[LorenzoSapora]

Sorry for the comment spam, but my issue was solved by changing the bucket access controls to 'fine grained' verses 'uniform'.

Hope this helps (although brings up the issue of buckets that use uniform permissions..)

[tao]

I found this problem too.

{ "error": { "code": 400, "message": "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access.", "errors": [ { "message": "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access.", "domain": "global", "reason": "invalid" } ] } }

[prazian]

I got the same error, any thoughts guys?

[LorenzoSapora]

Did you try my solution @prazian (and possibly @tao, too)

[prazian]

Thank you @LorenzoSapora for the prompt response. 🙂

Is it possible to make the bucket publicly accessible using fine-grained?

I'm using Terraform to create the bucket this way, and by changing bucket_policy_only value to false it made it fine-grande, but I cannot access images publicly anymore.

Do I need to change anything else on the bucket level to make it accessible publicly for everyone to read with fine-grained? 🤔 (i.e.: adding new role or something?)

resource "google_storage_bucket" "bucket-public" {
  name     = var.bucket_name_public
  location = var.bucket_location

  force_destroy = false

  bucket_policy_only = false

  website {
    main_page_suffix = "index.html"
    not_found_page   = "404.jpg"
  }
  cors {
    origin              = ["*"] // This allows allows everyone to fetch for test
    method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
    response_header = ["*"]
    max_age_seconds = 3600
  }
}

[prazian]

Sorry my stupid mistake. 😄
I forgot to add 'visibility' => 'public' in the filesystem config file

[wmather]

@tao I believe this is the problem https://github.com/Superbalist/flysystem-google-cloud-storage/blob/f3ec295003c52502a33ef8b97ed1b184ffb89871/src/GoogleStorageAdapter.php#L148
as per this change: https://github.com/googleapis/google-cloud-php/pull/2541/files

$options['predefinedAcl'] should not exist if the bucket has uniform access control. There is no way to prevent his being passed by this package's parent.

[tao]

Sorry, I can't confirm if this fixes the issue anymore. I find google cloud quite frustrating to use so I switched back to AWS.

[tthiagogaia]

Sorry for the comment spam, but my issue was solved by changing the bucket access controls to 'fine grained' verses 'uniform'.

Hope this helps (although brings up the issue of buckets that use uniform permissions..)

Solved for me, thanks!

[ultrono]

For new or buckets less than 90 days old the solution from @LorenzoSapora works. For existing buckets older than 90 days this isn't allowed by Google. Google themselves suggest creating a new bucket.

From what I can see this is the only solutipon until Superbalist/flysystem-google-cloud-storage#114 is merged.

[arifw3]