1

I have a Google Cloud Source Repository I want my application to download files from. I have a specific use case where I want to get files from a Google Cloud Source Repository programmatically- not GCS or another location.

I want to control permissions to the repo with standard Google IAM. Can I grant a GCP service account access to read from a Cloud Source Repository?

In bitbucket you can download a file directly from a private repo with a rest call like this: curl -s -S --user username:apppassword -L -O https://bitbucket.org/<ORG_NAME>/<REPO>/src/master/<FOLDER>/file.txt

How can I use a GSA to download a file like this from a private Google Cloud Source Repository?

I am doing this in code so I do not have access to ssh or curl or the gcloud cli. I'll be using python to fetch this file.

I was also looking if the SDK supports this. I did not see anything in the docs for a python API for interacting with Google Cloud Source Repositories this way. I'm wondering how I can pull down this file with the requests library or even something like GitPython while authenticating with the GSA.

EDIT

Per the comments I tried creating a token in python and gcloud, but it does not work. The token is generated fine, but file download doesn't work.

I tried this (and via python):

curl -s -S -H "Authorization: Bearer $(gcloud auth print-access-token)" -L -O https://source.cloud.google.com/MY_GCP_PROJECT/MY_REPO/master/README.md

This downloads a huge html page that seems to be showing auth errors.

Maybe the http path is wrong? What is the correct path to the file in the source repo via http GET?

I confirmed I have permissions because this works gcloud source repos clone MY_REPO --project=MY_PROJECT

EDIT

This is where I am right now, I can't figure out what the right URL is to point to a specific branch and file:

import google.auth
import google.auth.transport.requests
import requests

# Generate a token from current security context
creds, project = google.auth.default()
auth_req = google.auth.transport.requests.Request()
creds.refresh(auth_req)

# Set token in Authorization header of http request
headers = {'Authorization':'Bearer {}'.format(creds.token)}

# Repo URL with branch and file specified (trying to download README.md in the root of the repo)
# What is the right URL here?
url = "https://source.developers.google.com/p/<GCP PROJECT>/r/<REPO NAME>/<BRANCH NAME>/README.md"

response = requests.get(url, headers=headers)

# I get a big mess of html with auth errors
print(response.content)

If I use this URL "https://source.developers.google.com/<GCP PROJECT>/<REPO NAME>/<BRANCH NAME>/README.md" I get back a page that includes PERMISSION_DENIED: The caller does not have permission

red888
  • 27,709
  • 55
  • 204
  • 392
  • 1
    Can you try to replace `--user username:apppassword` by `-H "Authorization: Bearer $(gcloud auth print-access-token)"`? – guillaume blaquiere Apr 01 '22 at 15:44
  • I can't do that because I do not have access to gcloud, I'm doing this programmatically through python. Is there a print-access-token method available in GCP SDK I could call to generate a token in code for the service account that is currently running that code? Then I could make the rest call programmatically with python with that generated token. – red888 Apr 01 '22 at 15:51
  • Also, is http access for Cloud Source Repository documented anywhere? I could not find anything, but maybe I'm not looking hard enough. thanks! – red888 Apr 01 '22 at 15:52
  • 1
    It's a Git server. If you use a GIT client, it should work. To generate an access token from Python code, you can find example here: https://stackoverflow.com/a/55804230/11372593 – guillaume blaquiere Apr 01 '22 at 16:01
  • 1
    @red888 Can you please let us know if the above comment helps you? – Rajeev Tirumalasetty Apr 04 '22 at 11:55
  • @guillaumeblaquiere see my edits this is not working for me. What is the correct http path to download a file directly? – red888 Apr 04 '22 at 14:19
  • @RajeevTirumalasetty Can you look at my last edit? I'm still struggling to find the right URL. I have found nothing in the documentation. – red888 Apr 13 '22 at 14:35

0 Answers0