CODEWITHSUNDEEP
google-cloud-platformgoogle-cloud-storagefile-transfergoogle-bucket
user2006506
user2006506

Reputation: 119

Google Cloud Storage Transfer Service fails with PERMISSION_DENIED error

I've set up a transfer with Google Cloud Storage Transfer Service in order to back up the bucket to another region.

The setup is very simple: transfer all bucket data to another bucket. Both buckets are owned by the same Google Cloud Platform account.

The master bucket is a Standard storage class with Fine-grained. The backup bucket is a storage class with Uniform and enables the Retention policy for 7 days.

Unfortunately, every single transfer has failed so far.

Any idea on how to solve this?

Here's the error we're getting.

enter image description here

Upvotes: 0

Views: 1834

Answers (2)

crazy-matt
crazy-matt

Reputation: 33

I made it work with this google_storage_bucket_iam_binding below enabled for the source bucket:

"roles/storage.legacyBucketWriter" : [
  "serviceAccount:${data.google_storage_transfer_project_service_account.default.email}",
]
"roles/storage.objectViewer" : [
  "serviceAccount:${data.google_storage_transfer_project_service_account.default.email}",
]
"roles/storage.legacyBucketReader" : [
  "serviceAccount:${data.google_storage_transfer_project_service_account.default.email}",
]

and google_storage_bucket_iam_binding below enabled for the sink bucket:

"roles/storage.legacyBucketWriter" : [
  "serviceAccount:${data.google_storage_transfer_project_service_account.default.email}",
]
"roles/storage.objectViewer" : [
  "serviceAccount:${data.google_storage_transfer_project_service_account.default.email}",
]

using this GCP documentation: https://cloud.google.com/storage-transfer/docs/configure-access

Upvotes: 0

JoX
JoX

Reputation: 140

Do all the objects have the permissions to be copied? As far as I can understand, it seems that those objects: i.e. gs://proactive-xxx-xxx/spend-cloud-storage/prod-tfstate does not have the permissions granted to the user that is performing the action. According to Setting up a transfer job:

Note: Your user account must have storage.buckets.get permission for source and destination buckets to be selected using the UI.

You can double check all the permissions in the objects mentioned in your error message. Finally, I recommend not to share your bucket name, it could be comprommissed the security of it if security controls are not properly set.

Upvotes: 0

Related Questions