From 54f2587c1ea564c0357b4efe7af1cc36cb8800ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kai=20L=C3=BCke?= Date: Tue, 30 Jun 2020 17:01:02 +0200 Subject: [PATCH] gcs: add support for anonymous access Currently credentials are required to download a public bucket file which is not really necessary and makes automated usage more complex. Add a new option "anonymous" which when enabled configures the gcs backend to use an anonymous HTTP client. This of course only works for read access and trying to write will lead to errors like that: "googleapi: Error 401: Anonymous caller does not not have storage.objects.create access to the Google Cloud Storage object.", as expected. By default the anonymous access option is disabled so that the GCS Application Default Credentials are still used by default as before and an error is given if they can't be found. --- backend/googlecloudstorage/googlecloudstorage.go | 12 ++++++++++-- docs/content/googlecloudstorage.md | 7 +++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/backend/googlecloudstorage/googlecloudstorage.go b/backend/googlecloudstorage/googlecloudstorage.go index 1ba2a945c..4b0481f5e 100644 --- a/backend/googlecloudstorage/googlecloudstorage.go +++ b/backend/googlecloudstorage/googlecloudstorage.go @@ -79,7 +79,8 @@ func init() { Config: func(name string, m configmap.Mapper) { saFile, _ := m.Get("service_account_file") saCreds, _ := m.Get("service_account_credentials") - if saFile != "" || saCreds != "" { + anonymous, _ := m.Get("anonymous") + if saFile != "" || saCreds != "" || anonymous == "true" { return } err := oauthutil.Config("google cloud storage", name, m, storageConfig, nil) @@ -103,6 +104,10 @@ func init() { Name: "service_account_credentials", Help: "Service Account Credentials JSON blob\nLeave blank normally.\nNeeded only if you want use SA instead of interactive login.", Hide: fs.OptionHideBoth, + }, { + Name: "anonymous", + Help: "Access public buckets and objects without credentials\nSet to 'true' if you just want to download files and don't configure credentials.", + Default: false, }, { Name: "object_acl", Help: "Access Control List for new objects.", @@ -265,6 +270,7 @@ type Options struct { ProjectNumber string `config:"project_number"` ServiceAccountFile string `config:"service_account_file"` ServiceAccountCredentials string `config:"service_account_credentials"` + Anonymous bool `config:"anonymous"` ObjectACL string `config:"object_acl"` BucketACL string `config:"bucket_acl"` BucketPolicyOnly bool `config:"bucket_policy_only"` @@ -411,7 +417,9 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) { } opt.ServiceAccountCredentials = string(loadedCreds) } - if opt.ServiceAccountCredentials != "" { + if opt.Anonymous { + oAuthClient = &http.Client{} + } else if opt.ServiceAccountCredentials != "" { oAuthClient, err = getServiceAccountClient([]byte(opt.ServiceAccountCredentials)) if err != nil { return nil, errors.Wrap(err, "failed configuring Google Cloud Storage Service Account") diff --git a/docs/content/googlecloudstorage.md b/docs/content/googlecloudstorage.md index 9f5edb5a6..3408ccfd6 100644 --- a/docs/content/googlecloudstorage.md +++ b/docs/content/googlecloudstorage.md @@ -194,6 +194,13 @@ the rclone config file, you can set `service_account_credentials` with the actual contents of the file instead, or set the equivalent environment variable. +### Anonymous Access ### + +For downloads of objects that permit public access you can configure rclone +to use anonymous access by setting `anonymous` to `true`. +With unauthorized access you can't write or create files but only read or list +those buckets and objects that have public read access. + ### Application Default Credentials ### If no other source of credentials is provided, rclone will fall back