Reputation: 16882
GCS write access from inside a GKE pod
I am not able to get write access to a GCS bucket from within a GKE pod.
I have a GKE pod running. I have not changed any k8s configuration regarding service accounts. I have docker exec'd into the pod and installed gcloud/gsutil. gcloud auth list shows a [email protected] entry. From within GCS I have added that same account as storage admin, storage legacy bucket owner, storage object creator (i.e., I just tried a bunch of stuff). I am able to run gsutil ls gs://bucket. However when running gsutil cp file gs://bucket, it prints:
AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform
gsutil acl get gs://bucket prints:
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://bucket
Other things I have tried are adding the allUsers and allAuthenticatedUsers as creators and owners of the bucket, with no change. I am able to write to the bucket from my dev machine just fine.
When I run gsutil acl get gs://bucket from another machine, it prints the same address as an OWNER as the output from gcloud auth list from within the pod.
What is the special sauce I need to allow the pod to write to the bucket?
Upvotes: 8
Views: 9015
Answers (3)
Reputation: 466
Had the same issue, I had to recreated a node pool with custom security config in order to get that access. Also, in my pod I mounted the SA provided in a secret (default-token-XXXXX) Then, once gcloud is installed in the pod (via docker file) works like a charm. The key is the node-pool config and mounting the SA.
Upvotes: 0
Reputation: 2858
You need to set permissions for cluster (or better for particular node in case of Terraform):
oauth_scopes = [
"https://www.googleapis.com/auth/devstorage.read_write", // 'ere we go!
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append",
"https://www.googleapis.com/auth/compute",
]
Upvotes: 3
Reputation: 16882
The GKE cluster was created with default permissions, which only has read scope to GCS. Solutions:
- Apply advice from Changing Permissions of Google Container Engine Cluster
- Set
GOOGLE_APPLICATION_CREDENTIALSas described in https://developers.google.com/identity/protocols/application-default-credentials
Upvotes: 2
Related Questions
- Accessing GCS from GKE pods
- GCS read write access from the GKE Pod without credentials/auth
- How to access Files in Google Cloud Storage through GKE pods
- Getting "Insufficient Permission" error while storing data into GCS from docker container in kubernetes engine
- Permissions for a pod on GKE to create disk on GCE
- Conecting to GC Storage from a Pod running SpringBoot application
- Permissions on GKE cluster
- Writing data directly to Google Cloud Storage from Kubernetes pods
- GKE Using gcePersistentDisk
- I am trying to use gcs bucket as the volume in gke pod