AccessDeniedException: 403 Forbidden on GCS using owner account

MobliMic picture MobliMic · Dec 31, 2014 · Viewed 13k times · Source

I have tried to access files in a bucket and I keep getting access denied on the files. I can see them in the GCS console but can access them through that and cannot access them through gsutil either running the command below.

gsutil cp gs://my-bucket/folder-a/folder-b/mypdf.pdf files/

But all this returns is AccessDeniedException: 403 Forbidden

I can list all the files and such but not actually access them. I've tried adding my user to the acl but that still had no effect. All the files were uploaded from a VM through a fuse mount which worked perfectly and just lost all access.

I've checked these posts but none seem to have a solution thats helped me

Can't access resource as OWNER despite the fact I'm the owner

gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE

gsutil cors set command returns 403 AccessDeniedException

Answer

Brandon Yarbrough picture Brandon Yarbrough · Jan 1, 2015

This is quite possible. Owning a bucket grants FULL_CONTROL permission to that bucket, which includes the ability to list objects within that bucket. However, bucket permissions do not automatically imply any sort of object permissions, which means that if some other account is uploading objects and sets ACLs to be something like "private," the owner of the bucket won't have access to it (although the bucket owner can delete the object, even if they can't read it, as deleting objects is a bucket permission).

I'm not familiar with the default FUSE settings, but if I had to guess, you're using your project's system account to upload the objects, and they're set to private. That's fine. The easiest way to test that would be to run gsutil from a GCE host, where the default credentials will be the system account. If that works, you could use gsutil to switch the ACLs to something more permissive, like "project-private."

The command to do that would be:

gsutil acl set -R project-private gs://muBucketName/