I am unable to write to a GCP bucket in a streamlit community cloud deployed app. I followed this guide: Connect Streamlit to Google Cloud Storage - Streamlit Docs
Iโve updated my secrets accordingly and all works fine when running it locally with the same secrets.
However, when run in the streamlit community cloud deployed version I get:
google.api_core.exceptions.Forbidden: 403 POST https://storage.googleapis.com/upload/storage/v1/b/images_analyzer-prod/o?uploadType=multipart: {
"error": {
"code": 403,
"message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",
"errors": [
{
"message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",
This is how i am uploading to the GCP bucket:
def upload_blob_from_memory(
bucket_name: str, contents: Union[str, bytes], destination_blob_name: str
) -> str:
"""Uploads a content string to a given
Cloud Storage bucket and returns the public url to the new object."""
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
blob = bucket.blob(destination_blob_name)
blob.upload_from_string(contents)
return blob._get_download_url(client=storage_client)
My secret file looks like:
[connections.gcs]
type = "service_account"
project_id = "xxx"
private_key_id = "xxx"
private_key = "xxx"
client_email = "xxx"
client_id = "xxx"
auth_uri = "https://accounts.google.com/o/oauth2/auth"
token_uri = "https://oauth2.googleapis.com/token"
auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs" client_x509_cert_url = "xxx"`
The gke-pods@s4a-prod.iam.gserviceaccount.com
is not the account I am using in my secrets, neither is it an account in my GCP project. Is this a internal streamlit account created for deployed apps?
Please let me know what I can do to circumvent this issue in the streamlit cloud deployment. The client_email
has all the necessary access rights to the bucket and as I said earlier, locally everything runs fine with the exact same credentials.
You can find the repo here: https://github.com/marcleerink/planar4_analyzer