Reputation: 387
How does one debug access control problems with google cloud storage?
In learning how to use Google Compute Engine with Google Cloud Storage, I've run into a problem with ACLs. From my own computer, using my own SSH credentials, I can do whatever I want with my bucket. But when I log into my compute instance using the web-based SSH client, I can only read from the bucket. Copying data back up to the bucket get's me a 'AccessDeniedException: 403 Insufficient Permission' error. (I'm doing all of these copying experiments with gsutil.)
This makes no sense to me. The one and only service account has project editor role granted, and I confirmed that the bucket ACL list gives owner access to both the project editor role AND to the service account. I also tried changing the service account to have "WRITE" permission instead of "OWNER" on the bucket but that doesn't help. Finally, I'm using the downloaded ssh keys for the same default service account when doing all of this from my local machine, so I don't understand why it is changing.
Part of the problem is that I can't see where the rubber meets the road--all I get is a 403 with no more information. I can't see what gsutil is doing (in fact, I'm not even sure how gsutil obtains its credentials, since that is all done automatically when you ssh in via console--I'm just assuming it's logging under the service account).
I'd obviously like to fix this immediate problem, but I'd also appreciate any tips as to how to debug these issues as they come up in the future.
Upvotes: 3
Views: 1336
Answers (1)
Reputation: 38379
I believe you've run into a pretty common problem, but I could be wrong, so I'll outline what's needed from the top before I explain.
By default, gsutil on compute engine doesn't use your personal user credentials. Instead, it will automatically acquire credentials to act as the service account configured for that VM (usually the Compute Engine default service account).
That service account will need two things in order to write to GCS: 1.) permission from GCS to write to that particular location, and 2.) scope to write to GCS.
It sounds like you've set up the service account as a project editor and even made it an owner of the bucket in question, so you've taken care of item 1. However, by default, GCE only grants your instance a read-only scope for accessing storage. That'll most likely be why reads are working for you, but writes aren't.
Fixing this is somewhat annoying, as scopes cannot be edited on running instances. So, you'll need to create a new GCE instance, and when doing so, make sure you explicitly specify a scope. If you're using the UI, choose either "Allow full access to all Cloud APIs", or choose "set access for each API" and make sure to choose "Read Write" or "Full" for Storage.
There are better instructions on how to do this on Google's site: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using
Upvotes: 4
Related Questions
- AccessDeniedException: 403 Forbidden on GCS using owner account
- GCP cloud storage: 403-Forbidden while executing `Storage.BucketAccessControls.List` request
- Google cloud storage access issue
- Access Google Cloud Storage from web application, always 403
- AccessDeniedException: 403 Forbidden
- Google cloud storage - permission denied exception
- Trouble privately reading/writing data to google cloud storage
- Google-App-Engine and Cloud-Storage, Access Denied
- Google Cloud Storage : Google Cloud Storage JSON API to fix Access Not Configured error 403?
- Google Cloud Storage ACL troubles