Fedora 31, Google Chrome 79.

On python 3.7 flask server:

from google.cloud import storage
store = storage.Client.from_service_account_json('service_account.json')
bucket = store.create_bucket('test')
cors = bucket.cors
cors.append({'origin': ['*']})
bucket.cors = cors
bucket.update()

Command line cors check:

gsutil cors get gs://test  # [{"origin": ["*"]}]

On client in JS:

# uploadUri is a signed uri from the 'test' bucket for uploading (PUT requests, v4)
# file is a local filesystem file
fetch(uploadUri, {
  method: 'PUT',
  mode: 'cors',
  cache: 'no-cache',
  headers: {
    'Content-Type': 'application/octet-stream',  # same error with file.type
  },
  body: file,
}).then(() => console.log('success'));

When this is sent, it runs a preflight OPTIONS request, which does not return the Access-Control-Allow-Origin header in the response, so the PUT fails.

Response headers include: alt-svc, cache-control, content-length, content-type, date, expires, server, status, vary, x-guploader-uploadid.

It looks like the signed URL uses the XML API by default, since the url is https://storage.googleapis.com/[BUCKET-NAME]/[PATH-NAME]?<signed_url_params> (https://cloud.google.com/storage/docs/request-endpoints), which is why I set the CORS above according to the documentation.

This happens locally, and while hosted on app engine. It also happens with both the fetch API and Axios npm package.

I've also tried adding maxAgeSeconds = 3600, method = ['*'], and 'Access-Control-Allow-Origin' to the 'responseHeader' array. Problem persists on retry, even several hours later.

Upload from command line using curl works: curl -v -I -X PUT -T file.csv -H 'Content-Type: application/octet-stream' <signed_url>, so this appears to be a browser/cors/headers issue.

I believe I have gone through and checked everything here: https://cloud.google.com/storage/docs/configuring-cors.