strapi-provider-upload-google-cloud-storage icon indicating copy to clipboard operation
strapi-provider-upload-google-cloud-storage copied to clipboard

Published 20 hours ago verified publisher icon strapi-community

Permission error with newest version: 'iam.serviceAccounts.signBlob' denied on resource

Open hendrik244 opened this issue 1 year ago • 8 comments

Hi,

just updated to the latest version of strapi and this plugin. All services are hosted in gcp. After updating I received this error, when trying to fetch content with images (stored in gcs) included:

Bildschirmfoto 2023-05-25 um 10 34 47

After rolling it back to the former used version (4.5.6) it all runs fine again. Even with the latest strapi version.

Best regards, Hendrik

hendrik244 avatar May 25 '23 08:05 hendrik244

I have same issue with 4.10.2

tjablonski avatar May 29 '23 15:05 tjablonski

Same here

marcneander avatar Jun 01 '23 11:06 marcneander

This helped me out: https://stackoverflow.com/questions/75071759/google-cloud-storage-permission-denied

Maybe not the plugin, but gcp is the problem...

hendrik244 avatar Jun 06 '23 06:06 hendrik244

Maybe not the plugin, but gcp is the problem...

I think it also relates to release version of 4.10.1 https://github.com/strapi-community/strapi-provider-upload-google-cloud-storage/releases/tag/4.10.1

Because this release supports gcs signed url https://cloud.google.com/storage/docs/access-control/signed-urls#signing-iam

If my guess is correct, enable publicFiles options will be change the situation (If you don't want to use ~~expires option~~ signed url).

knokmki612 avatar Jul 12 '23 03:07 knokmki612

Is that possible we don't use signed url on public files? or maybe we can config whether we want to use signed URL or not?

LaurenceHo avatar Jul 20 '23 04:07 LaurenceHo

This helped me out: stackoverflow.com/questions/75071759/google-cloud-storage-permission-denied

Maybe not the plugin, but gcp is the problem...

This also helped fix things for me! Specifically adding the "Service Account Token Creator" role to our service account. Also just wanted to show off my config block in case it helps anyone else!

image

benaduggan avatar Jul 31 '23 13:07 benaduggan

Is that possible we don't use signed url on public files?

Yes that's possible. if you set true to publicFiles option, you can get unsigned url. This behavior documented as follows:

Files are signed when publicFiles is set to false.

https://github.com/strapi-community/strapi-provider-upload-google-cloud-storage#expires

or maybe we can config whether we want to use signed URL or not?

We can choose to use signed URL or not by publicFiles option.

knokmki612 avatar Jul 31 '23 13:07 knokmki612

This should just be documented on the new version, but it is not something that this plugin can change.

The new version of the @google-cloud/storage library uses the new signature method to sign the upload (and preview) URLs. The new method requires a different IAM permission, not on the bucket but on the service account itself.

You either have to use a key file, which allows signing the blobs locally, or grant the role "Service Account Token Creator" (role/iam.serviceAccountTokenCreator) to the service account on the service account itself. This is in addition to the roles required to manage the files in the bucket, those were already required and still are.

Fryuni avatar Oct 25 '23 20:10 Fryuni