gsutil ls command gives "OSError: Permission denied"

Question

My gsutil is at 4.48 and python is at 2.7.5.

Tried "gsutil ls" and getting the above mentioned error.

sh-4.2$ cd /root/google-cloud-sdk/bin/

sh-4.2$ ls -lah

total 63M

drwxrwxrwx 3 root root 222 Mar 25 16:49 .

drwxrwxrwx 9 root root 329 Mar 25 16:49 ..

-rwxrwxrwx 1 root root 5.8K Mar 24 02:38 gcloud

-rwxrwxrwx 1 root root 5.9K Feb 14 20:54 gsutil

-rwxrwxrwx 1 root root 5.8K Mar 24 02:38 java_dev_appserver.sh

sh-4.2$ gsutil ls

OSError: Permission denied.

sh-4.2$ python -V

Python 2.7.5

sh-4.2$ gsutil version

gsutil version: 4.48

sh-4.2$

Any help here guys??

Answer 1

I just ran into this. In my case, the problem was that because I installed gsutil as root during the container build, and was running the container as a different user, gsutil didn't have rights to its own state directory. I fixed it by adding the following lines to my Dockerfile:

# Permissions needed for gsutil and the gcloud CLI
RUN mkdir -p /.config
RUN chown -R 1234 /.config
RUN mkdir -p /.gsutil
RUN chown -R 1234 /.gsutil
RUN echo "[GSUtil]\nstate_dir=/.gsutil" > /.boto
RUN chown -R 1234 /.boto

You'll have to run whoami at the command line to figure out which ID you'll need to use instead of 1234 (or look at the USER directive in the Dockerfile).

Once I did this, I was able to use both gcloud AND gsutil with no issues.

Answer 2

You are using the account from the Kubernetes cluster. In that context is not authenticated with the GCP and will not be authorized.

You have a couple of options to authenticate. 1) If you are using GKE, you can enable Workload Identity.

2) Export a Service Account and store it as a Secret like here.

3) In the context of the container, you can create a configuration file for gsuil. You may use this documentation.