0

I try copying a file to Google Cloud Storage using the command

gsutil cp access.log gs://XXX

and I get

Copying file://access.log [Content-Type=application/octet-stream]...
AccessDeniedException: 403 Access denied.

I would like to know who is the principle who got "access denied". Was it my OS user or the compute engine service account? How can I find this out? The Log Explorer does not seem to know of an "access denied".

Thorsten Staerk
  • 1,114
  • 9
  • 21
  • If it was the OS user, wouldn't the error like: `sh gsutil permission denied`? I think it's related to the scopes of your compute engine account. See [this](https://stackoverflow.com/questions/27275063/gsutil-copy-returning-accessdeniedexception-403-insufficient-permission-from) answer. – doneforaiur Aug 08 '23 at 07:23
  • Where are you running this command? – guillaume blaquiere Aug 08 '23 at 07:52
  • It depends on what you configured. For Compute Engine, you have the configured service account for the instance. That service accounts needs the IAM role granting access to Cloud Storage. However, if you configured the SDK, which gsutil is part of, then check with `gcloud auth list`. Note: `gsutil` also supports its own credentials. The CLI credentials have preference over the assigned service account (metadata credentials). Edit your post with details. – John Hanley Aug 08 '23 at 20:05
  • There is one more item to check. What are the VM's `Access Scopes`? Those can limit IAM permissions. The default scope is read-only. https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam – John Hanley Aug 08 '23 at 20:07
  • Read this link to understand how Application Default Credentials (ADC) work: https://cloud.google.com/docs/authentication/application-default-credentials – John Hanley Aug 08 '23 at 20:11
  • Feel free to update the status of the question. Let me know the answer below helps to resolve your issue? I am happy to help you if you have any further queries. – Veera Nagireddy Aug 10 '23 at 12:12
  • Did you have time to check my answer & did it help you solve problems? [What should I do when someone answers my question?](https://stackoverflow.com/help/someone-answers). – Veera Nagireddy Aug 30 '23 at 09:48

1 Answers1

0

As per GCP Official doc on Limit service account privileges;

Service accounts are principals and can be granted access to a resource like a regular user account. However, service accounts often have greater access to more resources than a typical user.

By default your machine should have READ access to the buckets in the same project, but configuration is required before you can write to them.

Set proper Access scopes to resolve the error AccessDeniedException: 403 Access denied as per the below steps:

  1. Navigate to console.cloud.google.com >> select your project from the drop down menu >> select your VM and click STOP in the top menu bar.

  2. Once your VM has been stopped, click on its name and then EDIT in the top menu bar.

  3. Scroll down until you see a header called Access Scopes, which will likely be on the Allow default access selection.

  4. Select Set access for each API as your option, then scroll down until you see Storage, which is likely set on READ: change it to READ/WRITE, or whatever you feel is necessary for your use case.

  5. Save your changes and restart your VM.

Refer to Changing the service account and access scopes for an instance for more information.

Veera Nagireddy
  • 1,656
  • 1
  • 3
  • 12