gcs: add support for anonymous access

Currently credentials are required to download a public bucket file
which is not really necessary and makes automated usage more complex.
Add a new option "anonymous" which when enabled configures the gcs
backend to use an anonymous HTTP client. This of course only works
for read access and trying to write will lead to errors like that:
"googleapi: Error 401: Anonymous caller does not not have
storage.objects.create access to the Google Cloud Storage object.",
as expected. By default the anonymous access option is disabled so that
the GCS Application Default Credentials are still used by default as
before and an error is given if they can't be found.
This commit is contained in:
Kai Lüke 2020-06-30 17:01:02 +02:00 committed by Nick Craig-Wood
parent 99c293a403
commit 54f2587c1e
2 changed files with 17 additions and 2 deletions

View file

@ -79,7 +79,8 @@ func init() {
Config: func(name string, m configmap.Mapper) { Config: func(name string, m configmap.Mapper) {
saFile, _ := m.Get("service_account_file") saFile, _ := m.Get("service_account_file")
saCreds, _ := m.Get("service_account_credentials") saCreds, _ := m.Get("service_account_credentials")
if saFile != "" || saCreds != "" { anonymous, _ := m.Get("anonymous")
if saFile != "" || saCreds != "" || anonymous == "true" {
return return
} }
err := oauthutil.Config("google cloud storage", name, m, storageConfig, nil) err := oauthutil.Config("google cloud storage", name, m, storageConfig, nil)
@ -103,6 +104,10 @@ func init() {
Name: "service_account_credentials", Name: "service_account_credentials",
Help: "Service Account Credentials JSON blob\nLeave blank normally.\nNeeded only if you want use SA instead of interactive login.", Help: "Service Account Credentials JSON blob\nLeave blank normally.\nNeeded only if you want use SA instead of interactive login.",
Hide: fs.OptionHideBoth, Hide: fs.OptionHideBoth,
}, {
Name: "anonymous",
Help: "Access public buckets and objects without credentials\nSet to 'true' if you just want to download files and don't configure credentials.",
Default: false,
}, { }, {
Name: "object_acl", Name: "object_acl",
Help: "Access Control List for new objects.", Help: "Access Control List for new objects.",
@ -265,6 +270,7 @@ type Options struct {
ProjectNumber string `config:"project_number"` ProjectNumber string `config:"project_number"`
ServiceAccountFile string `config:"service_account_file"` ServiceAccountFile string `config:"service_account_file"`
ServiceAccountCredentials string `config:"service_account_credentials"` ServiceAccountCredentials string `config:"service_account_credentials"`
Anonymous bool `config:"anonymous"`
ObjectACL string `config:"object_acl"` ObjectACL string `config:"object_acl"`
BucketACL string `config:"bucket_acl"` BucketACL string `config:"bucket_acl"`
BucketPolicyOnly bool `config:"bucket_policy_only"` BucketPolicyOnly bool `config:"bucket_policy_only"`
@ -411,7 +417,9 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) {
} }
opt.ServiceAccountCredentials = string(loadedCreds) opt.ServiceAccountCredentials = string(loadedCreds)
} }
if opt.ServiceAccountCredentials != "" { if opt.Anonymous {
oAuthClient = &http.Client{}
} else if opt.ServiceAccountCredentials != "" {
oAuthClient, err = getServiceAccountClient([]byte(opt.ServiceAccountCredentials)) oAuthClient, err = getServiceAccountClient([]byte(opt.ServiceAccountCredentials))
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account") return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account")

View file

@ -194,6 +194,13 @@ the rclone config file, you can set `service_account_credentials` with
the actual contents of the file instead, or set the equivalent the actual contents of the file instead, or set the equivalent
environment variable. environment variable.
### Anonymous Access ###
For downloads of objects that permit public access you can configure rclone
to use anonymous access by setting `anonymous` to `true`.
With unauthorized access you can't write or create files but only read or list
those buckets and objects that have public read access.
### Application Default Credentials ### ### Application Default Credentials ###
If no other source of credentials is provided, rclone will fall back If no other source of credentials is provided, rclone will fall back