gsutil副本返回"AccessDeniedException:403权限不足"来自GCE [英] gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE

问题描述

我已通过SSH登录到GCE实例.从那里，我想在服务帐户的帮助下访问存储:

I am logged in to a GCE instance via SSH. From there I would like to access the Storage with the help of a Service Account:

GCE> gcloud auth list
Credentialed accounts:
 - 1234567890-compute@developer.gserviceaccount.com (active)

我首先确保在我正在从事的项目的权限中将此服务帐户标记为可以编辑".我还确保在他要复制文件的存储桶中给他写ACL:

I first made sure that this Service account is flagged "Can edit" in the permissions of the project I am working in. I also made sure to give him the Write ACL on the bucket I would like him to copy a file:

local> gsutil acl ch -u 1234567890-compute@developer.gserviceaccount.com:W gs://mybucket

但是以下命令失败:

GCE> gsutil cp test.txt gs://mybucket/logs

(我还确保在"mybucket"下创建"logs").

(I also made sure that "logs" is created under "mybucket").

我收到的错误消息是:

Copying file://test.txt [Content-Type=text/plain]...
AccessDeniedException: 403 Insufficient Permission               0 B  

我想念什么?

推荐答案

要寻找的另一件事是，确保在创建GCE VM时设置适当的作用域.即使VM已附加服务帐户，也必须为其分配开发范围以访问GCS.

One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.

例如，如果您使用devstorage.read_only范围创建了VM，则即使您的服务帐户有权写入存储桶，尝试写入存储桶也会失败.您需要devstorage.full_control或devstorage.read_write.

For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

有关详细信息，请参见准备实例以使用服务帐户的部分.

See the section on Preparing an instance to use service accounts for details.

注意:默认的计算服务帐户的范围非常有限(包括对GCS只读).这样做是因为默认服务帐户具有项目编辑器IAM权限.如果您使用任何用户服务帐户，这通常不会出现问题，因为默认情况下，用户创建的服务帐户将获得所有作用域访问.

Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.

在向VM添加必要的作用域之后，gsutil可能仍在使用没有新作用域的缓存凭据.再次尝试gsutil命令之前，请先删除~/.gsutil. (感谢@mndrix在评论中指出这一点.)

After adding necessary scopes to the VM, gsutil may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)

这篇关于gsutil副本返回"AccessDeniedException:403权限不足"来自GCE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！