I have created a service account with a roles/storage.admin role on it with the following condition:
resource.name.startsWith(
"//storage.googleapis.com/projects/_/buckets/rakibs-new-bucket"
)
However, when this service account tries to query anything in the bucket it says the following:
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: my-new-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.list access to rakibs-new-bucket., forbidden
For reference: I followed this gcloud doc link to construct the resource name of the GCS bucket in the role condition.
Learned that the domain part was not necessary. Just ommitting the //storage.googleapis.com/ part worked.
resource.name.startsWith(
"projects/_/buckets/rakibs-new-bucket"
)
Related
I need to view a gcloud bucket with my service account which has a Owner role.
I followed the advice (How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI?) on creating a custom role called BucketViewer, that has the storage.buckets.get permission and assigning it to my service account and the project.
Now, when I try to view the buckets metadata (as described here: https://cloud.google.com/storage/docs/getting-bucket-information#get-bucket-size-cli) :
gsutil ls -L -b gs://bucketname
It still returns the error:
my_service#account.com does not have storage.buckets.get access to the Google Cloud Storage bucket.
I am glad for any help.
Anyone successfully using gcsfuse?
I've tried to remove all default permission to the bucket,
and setup a service account:
gcloud auth activate-service-account to activate serviceaccname
And then running:
gcsfuse --debug_gcs --foreground cloudbuckethere /backup
gcs: Req 0x0: -> ListObjects() (307.880239ms): googleapi: Error 403: xxxxxx-compute#developer.gserviceaccount.com does not have storage.objects.list access
It's weird that it's complaining that the user xxxxx-compute which is not my activated service account:
gcloud auth list
Does show my current service account is active...
I've also granted admin owner, admin object owner, write object, read object to the bucket to my serviceaccname.
If I grant xxxxx-compute to my bucket with all the permission, including legacy permissions, listing seems to work. but writing any file to the directory failed with:
googleapi: Error 403: Insufficient Permission, insufficientPermissions
Anyone have any luck?
I found a solution, not sure if this is a good solution, but it works.
Setup a service account and download the JSON file.
Grant access to the bucket as bucket admin with the above service account name.
Then run add into environment variable, pointing to the path to the service JSON file.
GOOGLE_APPLICATION_CREDENTIALS=/path-to-json/gcloud.json gcsfuse --debug_gcs --foreground bucketname /path-to-mount
Also take note that it may uses large amount of space in the tmp directory by default. Adding flag:
... --temp-dir=/someotherpath
Will really helps if you have limited space in /tmp.
I am using the golang storage API to add notifications to my bucket.
https://godoc.org/cloud.google.com/go/storage#BucketHandle.AddNotification
I am getting the following error: Unable to set notifications for bucket: googleapi: Error 403: The service account 'dev-lm#gs-project-accounts.iam.gservice
account.com' does not have permission to publish messages to to the Cloud Pub/Sub topic '//pubsub.googleapis.com/projects/dev-lm/topics/local_sanket_ms-transcript-incoming', or that topic does not exist., forbidden
Clearly, its a permission issue. Although -- I am not sure why the service account looks like that. I am not sure where this account is being construed from or how do I override it with an account I know is valid. Any hints where to look?
Looks like there's a bug.
Following official documentation:
https://cloud.google.com/compute/docs/instances/create-start-instance
After
gcloud compute instances create test-2
Recieved:
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource '1045904521672-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
Being authorized correctly, role is set to Owner.
> gcloud auth list
returns
Credentialed Accounts
ACTIVE ACCOUNT
* **#gmail.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
However, an instance can be created with custom service account.
Any ideas?
Thank you in advance.
This seems similar to: Unable to create cluster on Dataproc after deleting default service account
Perhaps the answers there can help you out.
I'm trying to create a bucket using GCP Deployment Manager. I already went through the QuickStart guide and was able to create a compute.v1.instance. But I'm trying to create a bucket in Google Cloud Storage, but am unable to get anything other than 403 Forbidden.
This is what my template file looks like.
resources:
- type: storage.v1.bucket
name: test-bucket
properties:
project: my-project
name: test-bucket-name
This is what I'm calling
gcloud deployment-manager deployments create deploy-test --config deploy.yml
And this is what I'm receiving back
Waiting for create operation-1474738357403-53d4447edfd79-eed73ce7-cabd72fd...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation operation-1474738357403-53d4447edfd79-eed73ce7-cabd72fd: <ErrorValue
errors: [<ErrorsValueListEntry
code: u'RESOURCE_ERROR'
location: u'deploy-test/test-bucket'
message: u'Unexpected response from resource of type storage.v1.bucket: 403 {"code":403,"errors":[{"domain":"global","message":"Forbidden","reason":"forbidden"}],"message":"Forbidden","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/test-bucket"}'>]>
I have credentials setup, and I even created an account owner set of credentials (which can access everything) and I'm still getting this response.
Any ideas or good places to look? Is it my config or do I need to pass additional credentials in my request?
I'm coming from an AWS background, still finding my way around GCP.
Thanks
Buckets on Google Cloud Platform need to be unique.
If you try to create a bucket with a name that is already used by somebody else (on another project), you will receive an ERROR MESSAGE. I would test by creating a new bucket with another name.