AccessDeniedException: 403 when trying to copy file to Google Storage from VM using gsutil

Question

I’m trying to manually do the steps I need to automate the process to understand how it works and to make sure I get all the commands straight. But when I try to do it using the command:

gsutil cp file_name gs://bucket_name/

I get the following error:

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.

It was supposed to be a very simple thing, but I can't get it right. I'm used to do it in AWS, but I'm not being able to do the same in Google Cloud. Anyone knows how to get over it?

Answer 1

Here's how I tackle this problem, may be helpful for new users here:

Step by step process without deleting the existing VM:

1. Stop the VM instance
2. Create a new service account IAM & Admin > Service Accounts > Add service account
3. Create a new service account with the full permission as (project > owner )
4. Create private key for this service account
5. After creating the new service account, go to vm and click on it's name > then click on edit
6. Now, in the editing mode, scroll down to the service-accounts section and select the new service account.
7. Now, access it via the in-browser ssh and you will be good to go!
8. Here's the command I used to copy files to bucket: sudo gsutil cp FILE_PATH gs://<BUCKET>

Answer 2

Hey @Marcus Vinicius Melo,

I was the project owner and still facing the same issue. After I install gcs python package, it solved. Try pip install google-cloud-storage

Answer 3

This error has nothing to do with read/write permissions, but with scope assigned to your compute instance. In other words, you need to grant it right to use GCP resources at all, read/write permissions for particular object is what you do next.

Previously it was necessary to recreate instance, but now it is enough to stop and then run below command, for example using cloud shell:

 gcloud compute instances set-service-account myinstance \
     --service-account 192893587797-compute@developer.gserviceaccount.com \
     --scopes cloud-platform

Of course replace myinstance and 192893587797-compute@developer.gserviceaccount.com with your own compute instance and service account name accordingly.

Answer 4

Hey @Marcus Vinicius Melo you just need to enable Storage Transfer API in GCP then gsutil for a GCE to bucket will be done.

Answer 5

I talked to a friend of mine and he helped me solve this, and here is the solution:

My GCE VM has read only permissions for the Google Cloud Storage. I found in web that you can only change this status when you create the GCE VM, and that in order to overcome this I would need to create a new one and delete this VM. That would work, but I didn't want to go loose everything I've done in my current VM.

The other solution that worked for me was to create a service account (Google Cloud Platform > IAM & admin > Service Accounts). You just need to give it the service account name you want, and select 'Furnish a new private key'. Then you should be good to go. After that I could copy files from GCE VM to Storage and do everything else I needed.

Answer 6

It looks like the account you're using to attempt this copy doesn't have permission to write an object to the bucket-name bucket.

If you're doing this on a GCE VM and using its default service account, make sure that you selected the correct access scopes when creating the VM -- the default scopes include read-only access to GCS. You can check this by logging into the VM and using curl to query the GCE metadata server:

$ curl -H 'Metadata-Flavor: Google' "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes"
[...]
https://www.googleapis.com/auth/devstorage.read_only
[...]