Django - Cannot insert legacy ACL for an object when uniform bucket-level access is enabled

Google Cloud Compute Infrastructure
1

I am using this tutorial and was able to get to the python manage.py collectstatic line. I know from the settings that the code is using the Google Storage Bucket (“sync-bucket” in my case) to store static files.

after the collectstatic command my error is

“error”: {“code”: 400, “message”: "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access",

I was able to get through it by changing my bucket level to “fine-grained” and removing the “prevent public access” flag. I don’t really know if that was the correct way to get out of it.

Was there another setting or permission that I needed to apply?

I am using Django 4.04

REFERENCE = https://django-storages.readthedocs.io/en/latest/backends/gcloud.html

2

I think you got it all right. Public access prevention clearly does not make sense for a web server that serves static content publicly. And about uniform bucket-level access: it seems like the tutorial code or the Django framework itself tries to set specific ACLs on individual objects. That, by definition, requires fine-grained access.

1 Like
3

I am still struggling… Is there a way to not use Secrets Manager for the PostgreSQL DB? I torched everything and went to a different tutorial - I still cannot get anything but errors.

I am changing my settings.py to not use the Secrets manager.

databases = {“default”: env.db()}
DATABASES = {
‘default’: {
‘ENGINE’: ‘django.db.backends.postgresql’,
‘NAME’: ‘shell-django-ssi:us-central1:myinstance’,
‘USER’: ‘DJPASS’,
‘PASSWORD’: ‘DJPASS’,
‘HOST’: os.environ[‘CLOUD_SQL_INSTANCE_IP’],
‘PORT’: 5432,
}

ANY help would be fantastic. I’m at my wits end with Cloud Run.

4

What errors are you getting with yh current config?

5

When commented out the DATABASES = {“default”: env.db()} and changed my DB parameters in settings.py to :

Set this value from django-environ

databases = {“default”: env.db()}
DATABASES = {
‘default’: {
‘ENGINE’: ‘django.db.backends.postgresql’,
‘NAME’: ‘mydatabase’,
‘USER’: ‘DJPASS’,
‘PASSWORD’: ‘$DJPASS’,
‘HOST’: ‘35.225.64.66’,
‘PORT’: 5432,
}
}
Then when it does run, The admin Url gives a 403 error no matter what I put in for login credentials. :disappointed_face:
It built the basic Django screen is running. I will undo this and run again to get the password issue again.
Thank You for replying.
https://django-cloudrun-z3h7dm66qa-uc.a.run.app/

6

Finished Step #0 - “docker-layer”
Starting Step #1 - “migrate”
Step #1 - “migrate”: Already have image: Google Cloud console
Step #1 - “migrate”: 2023/04/17 22:58:17 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
Step #1 - “migrate”: 2023/04/17 22:58:18 Listening on 127.0.0.1:5432 for shell-django-ssi:us-central1:myinstance
Step #1 - “migrate”: 2023/04/17 22:58:18 Ready for new connections
Step #1 - “migrate”: 2023/04/17 22:58:18 Generated RSA key in 120.981908ms
Step #1 - “migrate”: 2023/04/17 22:58:21 New connection for “shell-django-ssi:us-central1:myinstance”
Step #1 - “migrate”: 2023/04/17 22:58:21 refreshing ephemeral certificate for instance shell-django-ssi:us-central1:myinstance
Step #1 - “migrate”: 2023/04/17 22:58:21 Scheduling refresh of ephemeral certificate in 55m0s
Step #1 - “migrate”: 2023/04/17 22:58:21 Client closed local connection on 127.0.0.1:5432
Step #1 - “migrate”: Traceback (most recent call last):
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 289, in ensure_connection
Step #1 - “migrate”: self.connect()
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 270, in connect
Step #1 - “migrate”: self.connection = self.get_new_connection(conn_params)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/postgresql/base.py”, line 269, in get_new_connection
Step #1 - “migrate”: connection = self.Database.connect(**conn_params)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/psycopg2/init.py”, line 122, in connect
Step #1 - “migrate”: conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: psycopg2.OperationalError: connection to server at “127.0.0.1”, port 5432 failed: fe_sendauth: no password supplied
Step #1 - “migrate”:
Step #1 - “migrate”:
Step #1 - “migrate”: The above exception was the direct cause of the following exception:
Step #1 - “migrate”:
Step #1 - “migrate”: Traceback (most recent call last):
Step #1 - “migrate”: File “/workspace/manage.py”, line 22, in
Step #1 - “migrate”: main()
Step #1 - “migrate”: File “/workspace/manage.py”, line 18, in main
Step #1 - “migrate”: execute_from_command_line(sys.argv)
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/init.py”, line 442, in execute_from_command_line
Step #1 - “migrate”: utility.execute()
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/init.py”, line 436, in execute
Step #1 - “migrate”: self.fetch_command(subcommand).run_from_argv(self.argv)
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/base.py”, line 412, in run_from_argv
Step #1 - “migrate”: self.execute(*args, **cmd_options)
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/base.py”, line 458, in execute
Step #1 - “migrate”: output = self.handle(*args, **options)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/base.py”, line 106, in wrapper
Step #1 - “migrate”: res = handle_func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/core/management/commands/migrate.py”, line 117, in handle
Step #1 - “migrate”: executor = MigrationExecutor(connection, self.migration_progress_callback)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/migrations/executor.py”, line 18, in init
Step #1 - “migrate”: self.loader = MigrationLoader(self.connection)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/migrations/loader.py”, line 58, in init
Step #1 - “migrate”: self.build_graph()
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/migrations/loader.py”, line 235, in build_graph
Step #1 - “migrate”: self.applied_migrations = recorder.applied_migrations()
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/migrations/recorder.py”, line 81, in applied_migrations
Step #1 - “migrate”: if self.has_table():
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/migrations/recorder.py”, line 57, in has_table
Step #1 - “migrate”: with self.connection.cursor() as cursor:
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 330, in cursor
Step #1 - “migrate”: return self._cursor()
Step #1 - “migrate”: ^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 306, in _cursor
Step #1 - “migrate”: self.ensure_connection()
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 288, in ensure_connection
Step #1 - “migrate”: with self.wrap_database_errors:
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/utils.py”, line 91, in exit
Step #1 - “migrate”: raise dj_exc_value.with_traceback(traceback) from exc_value
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 289, in ensure_connection
Step #1 - “migrate”: self.connect()
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/base/base.py”, line 270, in connect
Step #1 - “migrate”: self.connection = self.get_new_connection(conn_params)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/utils/asyncio.py”, line 26, in inner
Step #1 - “migrate”: return func(*args, **kwargs)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/django/db/backends/postgresql/base.py”, line 269, in get_new_connection
Step #1 - “migrate”: connection = self.Database.connect(**conn_params)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: File “/layers/google.python.pip/pip/lib/python3.11/site-packages/psycopg2/init.py”, line 122, in connect
Step #1 - “migrate”: conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
Step #1 - “migrate”: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #1 - “migrate”: django.db.utils.OperationalError: connection to server at “127.0.0.1”, port 5432 failed: fe_sendauth: no password supplied
Step #1 - “migrate”:
Finished Step #1 - “migrate”
ERROR
ERROR: build step 1 “Google Cloud console” failed: step exited with non-zero status: 1

BUILD FAILURE: Build step failure: build step 1 “Google Cloud console” failed: step exited with non-zero status: 1
ERROR: (gcloud.builds.submit) build 0ac29956-6db2-41c0-ac23-e17a6e697fbf completed with status “FAILURE”

7

I cannot even build it today. I reset the PROJECT_ID variable and tried

gcloud builds submit --pack image=gcr.io/${PROJECT_ID}/myimage

===> EXPORTING
[exporter] Adding layer ‘google.python.runtime:python’
[exporter] Adding layer ‘buildpacksio/lifecycle:launch.sbom’
[exporter] Adding 1/1 app layer(s)
[exporter] Adding layer ‘buildpacksio/lifecycle:launcher’
[exporter] Adding layer ‘buildpacksio/lifecycle:config’
[exporter] Adding layer ‘buildpacksio/lifecycle:process-types’
[exporter] Adding label ‘io.buildpacks.lifecycle.metadata’
[exporter] Adding label ‘io.buildpacks.build.metadata’
[exporter] Adding label ‘io.buildpacks.project.metadata’
[exporter] Setting default process type ‘web’
[exporter] Saving gcr.io//myimage
[exporter] *** Images (2fd3e301e81f):
[exporter] gcr.io//myimage - loading image “gcr.io//myimage”. first error: embedded daemon response: invalid reference format
[exporter] ERROR: failed to export: failed to write image to the following tags: [gcr.io//myimage: loading image “gcr.io//myimage”. first error: embedded daemon response: invalid reference format]
ERROR: failed to build: executing lifecycle. This may be the result of using an untrusted builder: failed with status code: 62
ERROR
ERROR: build step 0 “gcr.io/k8s-skaffold/pack” failed: step exited with non-zero status: 1

BUILD FAILURE: Build step failure: build step 0 “gcr.io/k8s-skaffold/pack” failed: step exited with non-zero status: 1
ERROR: (gcloud.builds.submit) build 7e39a97f-c1a0-4dfb-966d-e681992e5256 completed with status “FAILURE”

This seems to be a very fragile system. Are there any tutorials or instructions that you can recommend? I have tried 4 tutorials and samples. All have issues with the secrets manager or CSRF 403.

8

Looks like you’ve turned on the debug logs. What do you see there?

9

Is it really a recommended to allow public access to a Django API’s storage bucket? I thought it should be limited to developers and the client(s) that need to access the API. I’m dealing with the same issue and I’m not sure if completely disabling protections is the best route.

2 Likes