AccessDeniedException:403在GCS上使用所有者帐户禁止 [英] AccessDeniedException: 403 Forbidden on GCS using owner account
问题描述
我尝试访问存储桶中的文件,但我一直拒绝访问文件.我可以在GCS控制台中看到它们,但是可以通过它们访问它们,而不能通过运行以下命令的gsutil访问它们.
I have tried to access files in a bucket and I keep getting access denied on the files. I can see them in the GCS console but can access them through that and cannot access them through gsutil either running the command below.
gsutil cp gs://my-bucket/folder-a/folder-b/mypdf.pdf files/
但是所有返回的都是AccessDeniedException: 403 Forbidden
我可以列出所有文件,但实际上不能访问它们.我尝试将我的用户添加到ACL中,但这仍然没有效果.所有的文件从一个虚拟机上载通过保险丝安装它非常完美,只是失去了所有的访问.
I can list all the files and such but not actually access them. I've tried adding my user to the acl but that still had no effect. All the files were uploaded from a VM through a fuse mount which worked perfectly and just lost all access.
我检查了这些帖子,但似乎没有一个解决方案对我有帮助
I've checked these posts but none seem to have a solution thats helped me
gsutil副本返回"AccessDeniedException:403权限不足"来自GCE
gsutil cors set命令返回403 AccessDeniedException
推荐答案
这很有可能.拥有存储桶将向该存储桶授予FULL_CONTROL权限,其中包括列出该存储桶中的对象的功能.但是,存储桶权限不会自动暗示任何类型的对象权限,这意味着,如果某个其他帐户正在上传对象并将ACL设置为私有"之类,则存储桶的所有者将无法访问它(尽管存储桶所有者可以删除该对象(即使他们无法读取该对象),因为删除对象是存储桶权限).
This is quite possible. Owning a bucket grants FULL_CONTROL permission to that bucket, which includes the ability to list objects within that bucket. However, bucket permissions do not automatically imply any sort of object permissions, which means that if some other account is uploading objects and sets ACLs to be something like "private," the owner of the bucket won't have access to it (although the bucket owner can delete the object, even if they can't read it, as deleting objects is a bucket permission).
我不熟悉默认的FUSE设置,但是如果我不得不猜测,您正在使用项目的系统帐户上载对象,并且将它们设置为私有.没关系.最简单的测试方法是从GCE主机运行gsutil,其中默认凭据为系统帐户.如果可行,则可以使用gsutil将ACL切换到更宽松的方式,例如"project-private".
I'm not familiar with the default FUSE settings, but if I had to guess, you're using your project's system account to upload the objects, and they're set to private. That's fine. The easiest way to test that would be to run gsutil from a GCE host, where the default credentials will be the system account. If that works, you could use gsutil to switch the ACLs to something more permissive, like "project-private."
执行此操作的命令为:
gsutil acl set -R project-private gs://muBucketName/
这篇关于AccessDeniedException:403在GCS上使用所有者帐户禁止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
