gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE

Question

I am logged in to a GCE instance via SSH. From there I would like to access the Storage with the help of a Service Account:

GCE> gcloud auth list
Credentialed accounts:
 - 1234567890-compute@developer.gserviceaccount.com (active)

I first made sure that this Service account is flagged "Can edit" in the permissions of the project I am working in. I also made sure to give him the Write ACL on the bucket I would like him to copy a file:

local> gsutil acl ch -u 1234567890-compute@developer.gserviceaccount.com:W gs://mybucket

But then the following command fails:

GCE> gsutil cp test.txt gs://mybucket/logs

(I also made sure that "logs" is created under "mybucket").

The error message I get is:

Copying file://test.txt [Content-Type=text/plain]...
AccessDeniedException: 403 Insufficient Permission               0 B  

What am I missing?

Answer 1

One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.

For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

See the section on Preparing an instance to use service accounts for details.

Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.

After adding necessary scopes to the VM, gsutil may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)

Answer 2

You have to log in with an account that has the permissions you need for that project:

gcloud auth login

Answer 3

gsutil config -b

Then surf to the URL it provides, [ CLICK Allow ]

Then copy the verification code and paste to terminal.

Answer 4

1. Stop VM
2. goto --> VM instance details.
3. in "Cloud API access scopes" select "Allow full access to all Cloud APIs" then Click "save".
4. restart VM and Delete ~/.gsutil .

Answer 5

I have written an answer to this question since I can not post comments:

This error can also occur if you're running the gsutil command with a sudo prefix in some cases.

Answer 6

1. After you have created the bucket, go to the permissions tab and add your email and set Storage Admin permission.

2. Access VM instance via SSH >> run command: gcloud auth login and follow the steps.

Ref: https://groups.google.com/d/msg/gce-discussion/0L6sLRjX8kg/kP47FklzBgAJ

Answer 7

So I tried a bunch of things trying to copy from GCS bucket to my VM. Hope this post helps someone.

Via SSHed connection:

and following this script:

sudo gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION_IN_LOCAL]

Got this error:

AccessDeniedException: 403 Access Not Configured. Please go to the Google Cloud Platform Console (https://cloud.google.com/console#/project) for your project, select APIs and Auth and enable the Google Cloud Storage JSON API.

What fixed this was following "Activating the API" section mentioned in this link - https://cloud.google.com/storage/docs/json_api/

Once I activated the API then I authenticated myself in SSHed window via

gcloud auth login

Following authentication procedure I was finally able to download from Google Storage Bucket to my VM.

PS

I did make sure to:

1. Make sure that gsutils are installed on my VM instance.

2. Go to my bucket, go to the permissions tab and add desired service accounts and set Storage Admin permission / role.

   3.Make sure my VM had proper Cloud API access scopes:

Answer 8

From the docs: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

You need to first stop the instance -> go to edit page -> go to "Cloud API access scopes" and choose "storage full access or read/write or whatever you need it for"

Changing the service account and access scopes for an instance If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, or change an instance so that it runs as a service account that you created, instead of the Compute Engine Default Service Account.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.

Answer 9

Change the permissions of bucket.

Add a user for "All User" and give "Storage Admin" access.