gsutil copy returning “AccessDeniedException: 403 Insufficient Permission” from GCE

Question

I am logged in to a GCE instance via SSH. From there I would like to access the Storage with the help of a Service Account:

GCE> gcloud auth list
Credenti         


        

Answer 1

1. Stop VM
2. got --> VM instance details.
3. in "Cloud API access scopes" select "Allow full access to all Cloud APIs" then Click "save".
4. restart VM and Delete ~/.gsutil .

Answer 2

gsutil config -b

Then surf to the URL it provides, [ CLICK Allow ]

Then copy the verification code and paste to terminal.

Answer 3

One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.

For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

See the section on Preparing an instance to use service accounts for details.

Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.

After adding necessary scopes to the VM, gsutil may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)

Answer 4

Change the permissions of bucket.

Add a user for "All User" and give "Storage Admin" access.

Answer 5

You have to log in with an account that has the permissions you need for that project:

gcloud auth login

Answer 6

From the docs: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

You need to first stop the instance -> go to edit page -> go to "Cloud API access scopes" and choose "storage full access or read/write or whatever you need it for"

Changing the service account and access scopes for an instance If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, or change an instance so that it runs as a service account that you created, instead of the Compute Engine Default Service Account.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.