Hey GCP Community,
I'm feeling a bit stuck and would really appreciate your help. I've set up a Google Cloud Global External Application Load Balancer with a backend bucket and enabled CDN. I also added an SSL certificate to ensure all traffic is securely routed to HTTPS.
However, when I try to access the storage files through the CDN, I keep getting an AccessDenied Error (403). I want to ensure that only the load balancer can access the bucket to fill the CDN cache, but I'm not sure how to set it up correctly.
I found two possible solutions online:
Has anyone encountered a similar issue or can offer guidance? I want to resolve this without making the bucket public or giving access to anyone else. Any advice or steps would be greatly appreciated!
Thank you so much in advance!
Search for the compute SA (something like service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com), and assign the `Storage Object Viewer` role to it in the Cloud Storage -> Bucket -> Permissions. It should resolve the issue
I have granted the storage object viewer role to compute SA, but still the CDN is giving AccessDenied error.
Hello Yash,
You have two options -
1. Use signed url - https://cloud.google.com/cdn/docs/authenticate-content#how_signed_urls_work. This will require the request made the client to be signed too.
2. Use private origin authentication - https://cloud.google.com/cdn/docs/configure-private-origin-authentication . You can refer to this medium post on detailed instruction on how you can use this feature to access private GCS buckets - https://medium.com/@thetechbytes/private-gcs-bucket-access-through-google-cloud-cdn-430d940ebad9
I tried to follow the medium's' article. In Step 7d, I'm facing issues while uploading the yaml file to backend service
For testing, I tried to upload the same file, which is created by GCP, without any editing, but that is also failing
The code that I followed on Windows PowerShell:
gcloud beta compute backend-services describe cdn-gcp-neg-lb-service --global > cdn-private-origin.yaml; gcloud compute backend-services import cdn-gcp-neg-lb-service --source cdn-private-origin.yaml --global
The Error that I'm getting:
ERROR: gcloud crashed (UnicodeDecodeError): 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte
If you would like to report this issue, please run the following command:
gcloud feedback
To check gcloud for common problems, please run the following command:
gcloud info --run-diagnostics
As far as I understand, it's the encoding issue. Try running PowerShell commands to reencode ```
Get-Content cdn-private-origin.yaml -Encoding Byte | Set-Content cdn-private-origin-utf8.yaml -Encoding utf8
Then try to run `gcloud` with the updated file:
gcloud compute backend-services import cdn-gcp-neg-lb-service --source cdn-private-origin-utf8.yaml --global
To resolve the AccessDenied Error (403) without making the bucket public, you should grant access to the load balancer's service account. Here are the steps to find and set up the service account:
Find the Load Balancer Service Account:
Grant Access to the Service Account:
This should allow the load balancer to access the bucket without making it public.