Cross-project ListBuckets when authenticating using service account HMAC keys

Question

I am trying to access Google Cloud Storage using the AWS Java SDK. My particular scenario is that I would like to use a service account in a project "A" to list buckets in a project "B". The guide from Google doesn't cover this type of cross-project access with a service account.

I tried setting x-goog-project-id header explicitly:

        // The access id and secret key below are for a service account in project "A".
        BasicAWSCredentials googleCreds = new BasicAWSCredentials(
                "my access id",
                "my secret key");

        AmazonS3 interopClient = AmazonS3ClientBuilder.standard()
                .withEndpointConfiguration(
                        new AwsClientBuilder.EndpointConfiguration(
                                "https://storage.googleapis.com", "auto"))
                .withCredentials(new AWSStaticCredentialsProvider(googleCreds))
                .build();

        ListBucketsRequest listBucketsReq = new ListBucketsRequest();
        // The project id below is for project "B"
        listBucketsReq.putCustomRequestHeader("x-goog-project-id", "my project id");
        List<Bucket> buckets = interopClient.listBuckets(listBucketsReq);

        System.out.println("Buckets:");
        for (Bucket bucket : buckets) {
            System.out.println(bucket.getName());
        }

But I get the following error about duplicate header values:

Exception in thread "main" com.amazonaws.services.s3.model.AmazonS3Exception: Multiple HTTP header values where one was expected. (Service: Amazon S3; Status Code: 400; Error Code: ExcessHeaderValues; Request ID: null; S3 Extended Request ID: null), S3 Extended Request ID: null

Is there any way to get this scenario working?

score 0 · Answer 1 · answered Mar 19 '20 at 09:02

0

Based on the info in this thread, you have to add the service account created in project A to the the IAM page in project B. Then add the corresponding roles.

answered Mar 19 '20 at 09:02

Juancki

1,793
1
14
21

I have already set up the appropriate permissions. I would have got a permission error if not. – Abe S Mar 19 '20 at 18:40
Where do you specify the bucket you want to access? – Juancki Mar 23 '20 at 09:02

score 0 · Accepted Answer · answered May 07 '20 at 17:02

0

This recently changed. You can now pass in a header x-amz-project-id to specify a project for these operations, so your service account can "live" in one project but request bucket operations in any other.

answered May 07 '20 at 17:02

Dom Zippilli

640
6
12

Cross-project ListBuckets when authenticating using service account HMAC keys

2 Answers2