gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE

Christophe picture Christophe · Dec 3, 2014 · Viewed 63.5k times · Source

I am logged in to a GCE instance via SSH. From there I would like to access the Storage with the help of a Service Account:

GCE> gcloud auth list
Credentialed accounts:
 - [email protected] (active)

I first made sure that this Service account is flagged "Can edit" in the permissions of the project I am working in. I also made sure to give him the Write ACL on the bucket I would like him to copy a file:

local> gsutil acl ch -u [email protected]:W gs://mybucket

But then the following command fails:

GCE> gsutil cp test.txt gs://mybucket/logs

(I also made sure that "logs" is created under "mybucket").

The error message I get is:

Copying file://test.txt [Content-Type=text/plain]...
AccessDeniedException: 403 Insufficient Permission               0 B  

What am I missing?

Answer

jterrace picture jterrace · Dec 4, 2014

One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.

For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

See the section on Preparing an instance to use service accounts for details.

Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.

After adding necessary scopes to the VM, gsutil may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)