gsutil cannot get acl for a particular file for the owner

Question

$ gsutil acl get gs://mybucket/xyz.css

GSResponseError: status=403, code=AccessDenied, reason="Forbidden", message="Access denied.", detail="Access denied to mybucket/xyz.css"

How should I diagnose the problem?

I'm the owner of the bucket. But as the answer points out, I'm not the owner of the object.

Answer 1

In order to view the ACL for an object, you must have the FULL_CONTROL permission for that object (bucket permissions are irrelevant). There are a variety of reasons that you might not be able to access this object, but the most obvious is that you are using gsutil with an account that does not have FULL_CONTROL permission for this object. The account that owns an object always has FULL_CONTROL permission.

Did you create this bucket? Did you create this object? Did you create them with the same account with which you've configured gsutil? Perhaps you've set up gsutil with a service account but the object is owned by your user account?

Here are some possible reasons why this might the case:

• This isn't your bucket and/or object. Perhaps you've misspelled it?
• You're using gsutil as an anonymous user or as a different user than the owner of this object.
• Some other user or service had permission to create objects in your bucket and created it with custom ACLs that don't include you.

Here are some random troubleshooting ideas:

• Try using the cloud console at https://cloud.google.com/console. Can you see the object's ACL from there? If so, it's an issue with your gsutil config.

Answer 2

Only users granted FULL_CONTROL access are allowed to read the object's ACL. Do you know who created this object? If so, you could ask that person to run the gsutil acl get command on it; then you could see who is granted FULL_CONTROL access.