Years old static website getting unauthenticated on bucket backend

Google Cloud Compute Infrastructure
, ,
1

I have been running a static React SPA site for a couple years on GCP using the setup below. Recently I started receiving an unauthenticated message coming from the bucket. Interestingly it seems to only be during a handshake where access_token is the query string and started about 25% of the time, now its more like 75% of the time it fails.

I am wondering what changed or what the setup needs to be?

Setup:

  1. GCS Bucket with allUser being an Storage Object Viewer
  2. GCS Bucket settings has the 404 page set the index.html (for SPA routing)
  3. Load balancer (classic) with a the bucket as a backend.
  4. SSL Frontend on the load balancer

The error message:

<Error>
  <Code>AuthenticationRequired</Code>
  <Message>Authentication required.</Message>
</Error>

Things I have done to troubleshoot:

  • Loaded other static assets (not the index with the access_token param) with no problem. Images, javascript, css, favicon, etc

  • Did a lot of digging on the request logs from the LB and all the failed entries are similar to this

    {
  severity: "WARNING",
  httpRequest: {
    cacheLookup: true
    latency: "0.016666s"
    referer: "https://----------/"
    remoteIp: "-------"
    requestMethod: "GET"
    requestSize: "648"
    requestUrl: "https://-------/?access_token=----------"
    responseSize: "253"
    status: 401
    userAgent: "--- Chrome/136.0.0.0"
  },
  jsonPayload: {
    @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry"
    backendTargetProjectNumber: "-----"
    cacheDecision: [
      0: "REQUEST_CACHE_CONTROL_NO_CACHE"
      1: "RESPONSE_HAS_CACHE_CONTROL"
      2: "RESPONSE_CACHE_CONTROL_DISALLOWED_CACHING"
      3: "RESPONSE_HAS_EXPIRES"
      4: "RESPONSE_HAS_CONTENT_TYPE"
      5: "CACHE_MODE_CACHE_ALL_STATIC"
    ]
    cacheId: "----"
    remoteIp: "----"
    statusDetails: "response_sent_by_backend"
  }
}

  • Search through cloudaudit activity log for the protoPayload.serviceName=“storage.googleapis.com” and see no changes on buckets

  • Ensured allUsers permission was still set to “Storage Object Viewer” on the buckets

  • verified in the storage docs that it does not accept access_token as a query string param in case there is some new collision

Any thoughts or ideas?

2

well over the last 48 hours it has started happening on 4 different static sites, i redeployed them to cloudflare…