阅读背景:

谷歌云存储—Rails web应用—针对不同环境的不同存储段和不同访问键

来源:互联网 

I plan to use a cloud based storage service to store some static user-uploaded content of my web application. I have settled upon Google Cloud Storage for now.

我计划使用基于云的存储服务来存储我的web应用程序的一些静态用户上传内容。目前我已经确定了谷歌云存储。

My web application is Rails, and I am using Paperclip with fog to connect to Google Cloud Storage.

我的web应用程序是Rails,我正在使用带有fog的Paperclip连接到谷歌云存储。

I understand that I need to use the Interoperable Storage Access Keys in the fog config to connect to my bucket. Any additional key I add is given access to all the buckets.

我理解我需要在fog配置中使用可互操作的存储访问键来连接到我的bucket。我添加的任何其他键都可以访问所有的bucket。

I want to have a separate bucket per environment (development, staging and production). I want to have separate access and secret keys, with each key having access to only one bucket.

我希望每个环境都有一个单独的bucket(开发、暂存和生产)。我希望有单独的访问和密钥,每个密钥只能访问一个桶。

Basically, I don't want to put my production keys in my web-app source code, which all developers will have access to.

基本上,我不想把产品密钥放在我的web应用程序源代码中,所有开发人员都可以访问它。

I read the Google Cloud Storage documentation on ACLs, but I could not find out how to achieve what I want.

我阅读了关于acl的谷歌云存储文档,但是我找不到如何实现我想要的。

I can't imagine that others wouldn't have had the same kind of requirement. Maybe I am using the wrong search terms, but I cannot get any info about this.

我无法想象其他人不会有同样的要求。也许我使用了错误的搜索词,但是我不能得到任何关于这个的信息。

I would appreciate some help.

我希望能得到一些帮助。

P.S. - Is what I want possible on AWS S3? I am open to switching to S3 if this is possible on it.

附注:我想在AWS S3上做什么?如果可能的话,我愿意切换到S3。

1 个解决方案

#1


2  

The normal solution for something like this would be to have 3 service accounts (development-app, staging-app, production-app), each of which would have its own set of credentials and permissions. You could either have a test, staging, and production project, or you could just have test, staging, and production buckets within a single project. You can create a whole range of per-project service accounts, each with its own set of credentials and permissions.

通常的解决方案是有3个服务账户(开发应用、阶段应用、生产应用),每个账户都有自己的凭证和权限。您可以有一个测试、阶段和生产项目,也可以只在一个项目中有测试、阶段和生产桶。您可以创建各种项目服务帐户,每个帐户都有自己的凭证和权限集。

Unfortunately, interoperable storage access keys are not available for service accounts, only regular Google user accounts. In order to do what you want, you'd need to have three user accounts, each of which was granted access to exactly one of those buckets.

不幸的是,互操作存储访问键不能用于服务帐户,只能用于常规的谷歌用户帐户。为了实现您想要的功能,您需要有三个用户帐户,每个帐户都被授予访问其中一个bucket的权限。


分享到: