Using gsutil to copy a file from a GKE container fails with AccessDeniedException: 403 Insufficient Permission

Question

I installed gsutil in a Dockerfile as follows:

FROM postgres
RUN apt-get update -y
RUN apt-get install -y curl python && curl -sSL https://sdk.cloud.google.com | bash
ENV PATH $PATH:/root/google-cloud-sdk/bin

Then deployed it as a container in the following Pod:

apiVersion: v1
kind: Pod
metadata:
  name: postgresql-backup
spec:
  containers:
    - name: web
      image: xxx/posgresql-backup:latest
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      command: ['sh', '-c', 'echo The app is running! && sleep 36000']

Notice the container is executing under the default Service Account in my case: 111111111-compute@developer.gserviceaccount.com

I had previously created a bucket named: posgresql-backup

When I open a terminal in the executing container: kubectl exec -it xxx -- /bin/bash

If I run gsutil ls gs://posgresql-backup, it returns the list of files in that bucket:

gs://posgresql-backup/dump1.sql

However when I try to cp a file from the container to the bucket gsutil cp myfile.txt gs://posgresql-backup:

AccessDeniedException: 403 Insufficient Permission     

In the bucket permissions I added the service account as Storage Admin and Storage Object Admin but it didn't make a difference.

What else am I missing?

Answer 1

The problem was that the default node pool configuration for GKE nodes sets Cloud Storage API as read only so I had to customize it: