GCP file copy from bucket fails with could not reach metadata service

Question

Issue - While using the gsutil command to download a file from google bucket with public access from a GCP instance we get the following error

root@openvpn:~# gsutil cp gs://google-artifacts-1/openvpn/openvpn-install.sh /tmp/openvpn-install.sh Failure: Could not reach metadata service: Not Found.

Answer 1

If you are:

• Working from within a Compute Engine instance
• Using a service account from another project for the CE instance.

Then you need to add roles/iam.serviceAccountTokenCreator to the Compute Engine Service Agent (Service Agents are GCP managed Service Accounts)

Service agent for Compute Engine is: serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

Answer 2

What helped was to activate email service account for compute engine. Ater reboot, it work nicely

Answer 3

If you are running gcloud/gsutil commands on an instance, and getting error like

Failure: Could not reach metadata service: Not Found.

check instance scopes in "Cloud API access scopes" section in instance details page. There, service you are accessing inside instance should be enabled and instance service account should have proper access to that service.

Answer 4

As of now, that error appears when you haven't authenticated, it's not very accurate at describing what the issue is. Make sure you have issued a "gcloud auth login" before trying the cp.

If that does not solve the issue, do try a "gsutil -D cp gs://google-artifacts-1/openvpn/openvpn-install.sh /tmp/openvpn-install.sh", it's the same command as yours but with the -D flag documented here. That will display debug info.

Cheers,

Miguel.