This document explains how to setup your system for authenticating to Google Cloud Storage (GCS) using the credential helper to download objects.
In order to access data from a bucket, you need a Google Cloud user- or service account with read access to the objects you want to access (storage.objects.get). No other permissions are needed.
Refer to Google's documentation for more information.
- Install the Google Cloud SDK
- Run:
gcloud auth application-default login
- Follow the browser prompts to authenticate
- Follow Google's documentation for choosing and setting up your method of choice
- Ensure your method of choice sets the Application Default Credentials (ADC) environment variable (
GOOGLE_APPLICATION_CREDENTIALS) - Alternatively, check that the credentials file is in a well-known location (
$HOME/.config/gcloud/application_default_credentials.json)
Add to your .bazelrc:
common --credential_helper=storage.googleapis.com=%workspace%/tools/credential-helper
ERROR: Target parsing failed due to unexpected exception: java.io.IOException: Error downloading [https://storage.googleapis.com/...] to ...: GET returned 403 Forbidden
First, verify your credentials are valid: gcloud auth application-default print-access-token.
Then ensure the user you are logged in as has access to the bucket using gsutil cp gs://<BUCKET_NAME>/<OBJECT> ./<OUTPUT_FILENAME> and check if the credential helper is configured in .bazelrc like this: --credential_helper=storage.googleapis.com=%workspace%/tools/credential-helper.