ProjectId override question

[fondberg]

After following the procedures outlined in the README (here) for creating a service account for machine integration the projectId is correctly set in the json key file however the usage of it is not.

I have two questions that I hope I can get help with:

• When changing the project_id in code some project which is wrong it still works. Can someone explain if the gcloud-java or the Google Cloud service stores or parses the service account to extract the correct project_id?

Storage storage = StorageOptions.builder() 
  .authCredentials(AuthCredentials.createForJson(new FileInputStream("/path/to/my/key.json"))
  .projectId("projectDoesNotExist") // <---- HERE
  .build()
  .service();
// It is possible to use the Storage.writer and upload correctly to the service accounts project_id!!!

• Reading Specifying a Project ID there are various ways to set the project id, however none using the following flow from code. Question is if it would be good if the StorageOptions.builder() could take a file String as argument?

//Todays API
Storage storage = StorageOptions.builder() 
  .authCredentials(AuthCredentials.createForJson(new FileInputStream("/path/to/my/key.json"))
  .build()
  .service();
//here the project_id of StorageOptions is never set if no environment variable is set as the json project_id is never parsed

//Proposed API change which automatically uses AuthCredentials is the json file is supplied
Storage storage = StorageOptions.builder("/path/to/my/key.json") 
  .build()
  .service();

[mziccard]

Hi @fonzy2013, thanks for the report!

When changing the project_id in code some project which is wrong it still works. Can someone explain if the gcloud-java or the Google Cloud service stores or parses the service account to extract the correct project_id?

As written in the README the projectId provided with projectId("...") has priority over any other possible projectId. So, in your snippet, we are actually using the wrong projectDoesNotExist id. What is happening here is that in Storage a bucket name must be unique across the entire Cloud Storage namespace (not only in your project). So all operations inside a bucket (creating, getting, listing blobs) do not require (nor allow) us to pass the projectId (since the bucket is already enough to uniquely define where to apply the operation). Hence no checks are made by the service on the projectId for that operation, but clearly the service account you provided to StorageOptions is checked to see if you have rights to access the bucket.

On the other hand, as you probably already noticed, project id is used to create and list buckets (to define the project that owns the bucket - and that should be billed for it). So if you provide a wrong project id to StorageOptions the operations create(BucketInfo) and list() will fail.

Question is if it would be good if the StorageOptions.builder() could take a file String as argument?

We considered having AuthCredentials.createForJson("/path/to/my/key.json") but that would not be supported in all platforms (i.e. AppEngine). So we decided to stick to the stream version as creating a stream from a file path should be easy enough.

Hope this answers your doubts.

[fondberg]

I have now read the code and tested further.
My result is the following:

• ProjectId MUST be set when building the service with .projectId("my-project"), otherwise it fails. This can however be solved easily with providing the project when building the service BUT we still feel it would be better to have the API use the one from the json file
• After a successful login there are NO way to change the project for the service account. This we do consider as a bug but is probably not something that can be fixed in this API, correct?

Are these reflections correct?

[mziccard]

ProjectId MUST be set when building the service with .projectId("my-project"), otherwise it fails. This can however be solved easily with providing the project when building the service BUT we still feel it would be better to have the API use the one from the json file

Did you consider using the GOOGLE_APPLICATION_CREDENTIALS env variable and make it point to your JSON key? This way the project id will be read from the json file

After a successful login there are NO way to change the project for the service account. This we do consider as a bug but is probably not something that can be fixed in this API, correct?

This is unclear to me. What do you mean with "login" and "service account"?

[mziccard]

I am closing this as it has remained open for 2 months without answers. Feel free to reopen it with more details if need be.