Optimize use of `storage.Client()` to reduce http requests to Google

[OmarIthawi]

Looping back to GOOGLE_APPLICATION_CREDENTIALS for GCS, we wouldn't need to initialize read_only_storage for the Client here - as in, we would not need to initialize the bucket if we are calling publish_log endpoint via the Site Configuration Client because access to the bucket is permitted via the default service account. So you would only need the api_token from the application to read/write to the bucket via APIs?

I'm not sure exactly what you're asking. The cloud storage client has to get initialized at some point before you can make requests to it. When running on GCP with the default service account, it just means that you don't have to provide additional credentials when initializing or have a GOOGLE_APPLICATION_CREDENTIALS environment variable set.

Google's documentation is here: https://cloud.google.com/docs/authentication/production#automatically

Eg, this code just works on GCP (assuming the right IAM bindings already exist):

from google.cloud import storage
c = storage.Client()
bucket = c.get_bucket("my-storage-bucket")
blob = storage.Blob('path/to/file', bucket)
with open('file-to-download-to') as file_obj:
    c.download_blob_to_file(blob, file_obj)

That storage.Client() call still has to happen somewhere. I assume it would be in the Site Configuration client. You would want to avoid re-initializing it more often than you have to; ie, you wouldn't want to call storage.Client() on every single read if your process is going to make multiple reads (since it involves some additional HTTP requests to the GCP Metadata server each time).

Originally posted by @thraxil in https://github.com/appsembler/site-configuration/issues/61#issuecomment-1024099092