fog-google: Error: "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled."

We’re using this via Paperclip and seeing this error on upload:

Google::Apis::ClientError

invalid: Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access

https://sentry.io/share/issue/393f9e2786b543be9b2061a933268129/

Our config is:

Paperclip::Attachment.default_options[:storage] = :fog
Paperclip::Attachment.default_options[:fog_directory] = ENV["GOOGLE_STORAGE_BUCKET_NAME"] || ''
Paperclip::Attachment.default_options[:path] = ":rails_root/public/system/system/:class/:attachment/:id_partition/:style/:filename"
Paperclip::Attachment.default_options[:fog_credentials] = {
    provider: ENV["FOG_PROVIDER"] || "Local",
    local_root: "#{Rails.root}/public",
    google_project: 'public-lab' ,
    google_json_key_location: ENV["GOOGLE_JSON_KEY_FILE"] || '' ,
    google_storage_access_key_id: ENV["GOOGLE_STORAGE_KEY"] || '' ,
    google_storage_secret_access_key: ENV["GOOGLE_STORAGE_SECRET"] || ''
}
Paperclip::Attachment.default_options[:fog_public] = true # we tried adding this line or removing it
Paperclip::Attachment.default_options[:fog_host] = ""

Has anyone seen this error? I can’t find any mention of uniform bucket level access in this repository.

https://cloud.google.com/storage/docs/uniform-bucket-level-access

Thank you very much!! cc @icarito

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 1
  • Comments: 23 (11 by maintainers)

Most upvoted comments

@Temikus

In SAP we are using fog-google CF Cloud Controller Blobstore to access Google storage buckets.

The missing uniformBucketLevelAccess support in fog-google has been known for some time but never has been a blocker for us. With the Sovereign Cloud Restrictions the uniformBucketLevelAccess becomes hot topic for everyone who would like to use the offering.

Therefore, could you please update the status of uniformBucketLevelAccess support.

Appreciate your support.

+6
div-co on Aug 3, 2023

@Temikus @icco

As @div-co has brought to our attention, with the Restrictions and limitations in EU Regions Sovereignty Controls, fog-google’s missing uniformBucketLevelAccess support is a blocker for those who would like to use Sovereign cloud offering.

Hence really appreciate your support, if you can provide an update here. Thanks in advance.

+3
harinigunabalan on Aug 4, 2023

@icarito then in this case the problem is indeed because of the Uniform Bucket Level access. You should still be able to manage ACL’s for files in the bucket, but paperclip needs to use the new ACL model, not a legacy one.

In theory the support for fog_public that paperclip uses is there: https://github.com/fog/fog-google/pull/318/files

Can you try deleting the XML credentials from the config (thus forcing the JSON driver) and let me know how it goes?

    google_storage_access_key_id: ENV["GOOGLE_STORAGE_KEY"] || '' ,
    google_storage_secret_access_key: ENV["GOOGLE_STORAGE_SECRET"] || ''
+1
Temikus on Jul 10, 2021
Read more comments on GitHub
← fog: Dynect DNS functionality broken?
routedns: panic: runtime error: invalid memory address or nil pointer dereference →