Join Log in
Score:1
Stephen Daniel avatar Server

GCP service account permissions

br flag
Stephen Daniel

GCP newbie here, hopefully there is a quick answer I'm missing.

I have project with a GCE VM running in it. I'd like to backup a data set from time to time to GCP's object storage. My plan is to run 'gsutil rsync ...' from a cron job.

I created a bucket for the job to use. I did not edit permissions, roles or anything on the bucket.

I run "sudo su -" so that I am running as root, as I expect a cron job will, then type

gsutil rsync -r -d <dir to back up> gs://<bucket>/

and I get

AccessDeniedException: 403 Insufficient Permission

While in this state, I typed 'gcloud config list' and got

account = <xyz>[email protected]

disable_usage_reporting = True

project = <project id>

Your active configuration is: [default]

This is the default service account created when I created the VM. I've not done any editing on it.

In the console, I went to IAM->service accounts, click on this service account, click on the permissions tab, and I see that this service account is an Editor on <project id>

In the console I go to Cloud Storage, Browse, click on my bucket, go to the permissions tab, and I see that the role of Editor on has roles 'Storage Legacy Bucket Owner' and 'Storage Legacy Object Owner' Looking at those roles, I am told the first is read/write access to existing buckets with create/list/delete permissions on objects. The second gives me read/write access to existing objects.

I've verified that the bucket is, at the moment, empty.

What do I need to do to enable my gsutil command to run with sufficient permissions?

259
1 + 0
Score:1
John Hanley avatar Server
cn flag
John Hanley

Most likely your problem is insufficient Compute Engine VM instance Cloud API Access Scopes.

The gsutil rsync command requires the following permissions:

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list
  • storage.objects.get # required for bucket to bucket copies

The role roles/editor has none of those permissions.

Google Cloud Compute Engine VM instances use two methods to authorize:

  • The default service account
  • Cloud API Access Scopes

The service account must have a role granting the permissions listed above OR the service account identity must be granted access to the bucket and its contents. Google Cloud Storage supports two different authorization methods. For the sake of simplicity, I recommend that you add a required role to the service account. For your use case gsutil rsync, I recommend adding the role roles/storage.legacyBucketOwner.

However, even if the service account has the required permissions via roles, the Compute Engine Cloud API Access Scopes can take away those permissions. Go to the Google Cloud Console, select your VM instance. Check what scopes are enabled. You should either enable "Storage: Full" or "Allow full access to all Cloud APIs". Otherwise, the service account will be limited in the permissions obtained for OAuth Access Tokens that gsutil requires for authorization.

Compute Engine VM instance Cloud API Access Scopes

0 + 1
Stephen Daniel avatar
br flag
Stephen Daniel
Works now! The editor role had all required permissions, but the API was not enabled in the VM. I stopped the VM, edited it to allow all APIs, restarted, and everything worked.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.