sportzcode
Reputation: 125
How can I resolve "HttpError: Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object., 401" error?
The problem: I'm trying to read in a .gz JSON file that is stored in one of my project's cloud storage bucket using a google colab python notebook and I keep getting this error:
HttpError: Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object., 401
My code:
fs = gcsfs.GCSFileSystem(project='my-project')
with fs.open('bucket/path.json.gz') as f:
gz = gzip.GzipFile(fileobj=f)
file_as_string = gz.read()
json_a = json.loads(file_as_string)
I've tried all of these authentication methods and still get the same 401 error :
!gcloud auth login
!gcloud auth list
!gcloud projects list
!gcloud config set project 'myproject-id'
from google.colab import auth
auth.authenticate_user()
!gcloud config set account 'my GCP email'
!gcloud auth activate-service-account
!gcloud auth application-default login
!gsutil config
!gcloud config set pass_credentials_to_gsutil false
!gsutil config -a
I've also set my GCP IAM permissions to:
- Editor
- Owner
- Storage Admin
- Storage Object Admin
- Storage Object Creator
- Storage Object Viewer
- Storage Transfer Admin
Upvotes: 11
Views: 23594
Answers (1)
DazWilkin
Reputation: 40366
It's not entirely clear from your question but:
gcloudand Google SDKs both use Google's identity|auth platform but they don't share state. You usually (!) can't login usinggcloudand expect code using an SDK to be authenticated too- @john-hanley correctly points out that one (often confusing) way to share state between
gcloudand code using Google SDKs is to usegcloud auth application-default login. However, this only works becausegcloudwrites its state locally and code using Google SDKs when running as the same user on the same host, will be able to access this state. I think (!?) this won't work with browser-based collab - I'm unfamiliar with
gcsfs.GCSFileSystembut, it is not a Google SDK. Unless its developers have been particularly thoughtful, it won't be able to leverage authentication done by the Google SDK usingauth.authenticate_user().
So...
I think you should:
- Ensure that your user account (
[email protected]or whatever) hasroles/storage.objectAdmin(or any predefined role that permitsstorage.objects.get). - Use
google.collab.authandauth.authenticate_user()to obtain credentials for the browser's logged-in user (i.e.[email protected]). - Use a Google Cloud Storage library, e.g.
google-cloud-storageto access the GCS object. The Google library can leverage the credentials obtained in the previous step.
Update
Here's an example.
NOTE: it use the API Client Library rather than the Cloud Client Library but these are functionally equivalent.
Upvotes: 2
Related Questions
- gsutil ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket even though I'm loggedin in gcloud
- service account does not have storage.objects.get access for Google Cloud Storage
- Anonymous caller does not have storage.objects.get
- Google Cloud Storage HttpAccessTokenRefreshError: invalid_grant: Bad Request
- How to handle Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object
- GCP - storage.Client.from_service_account_json
- GoogleStorageException - 401 Unauthorized / Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket
- Authenticate Google Storage object with access token in python
- Unable to authenticate Google Cloud Storage client in python
- Getting 401 error, reason:Anonymous users does not have storage.objects.create access to bucket