I am trying to create bucket using gsutil provided by kubernetes.
Below is the response -
$ gsutil mb -c nearline -p kubetest gs://some-bucket
Creating gs://some-bucket/...
AccessDeniedException: 403 hello.user#gmail.com does not have storage.buckets.create access to bucket some-bucket.
I tried the above because when trying run kuberentes on bare metal failed with below exception.
$ cluster/kube-up.sh
... Starting cluster in us-central1-b using provider gce
... calling verify-prereqs
... calling verify-kube-binaries
... calling kube-up
Project: kubetest
Network Project: kubetest
Zone: us-central1-b
BucketNotFoundException: 404 gs://kubernetes-staging-9e9580a659 bucket does not exist.
Creating gs://kubernetes-staging-9e9580a659
Creating gs://kubernetes-staging-9e9580a659/...
AccessDeniedException: 403 hello.user#gmail.com does not have storage.buckets.create access to bucket kubernetes-staging-9e9580a659.
How can I resolve this error and give access to the user?
Got to cloud shell and use the command - gsutil config -b
The gsutil config command obtains access credentials for Google Cloud Storage and writes a boto/gsutil configuration file containing the obtained credentials along with a number of other configuration-controllable values and the flag -b causes gsutil config to launch a browser to obtain OAuth2 approval.
It prompts a URL. [ Hit Allow ]
In your browser you should see a page that requests you to authorize access to Google Cloud Platform APIs and Services on your behalf. After you approve, an authorization code will be displayed.
Copy the verification code and paste to terminal and hit enter
This should resolve the 403.
Related
Using Google Cloud Launcher we've deployed a Mongodb replicaset.
We are know configuring backups being uploaded to buckets.
Under the VM Cloud API access scopes, with the machine stoped, we've given Full access to Storage
When we try to upload using gsutil cp, we get the following error:
Copying file://whateverfilewe try [Content-Type=application/octet-stream]...
AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform
Reading documentation, that scope seems way too much.
How should we proceed in order to give access to to a bash script (using the machines assigned service account) within a Compute engine instance upload access to a bucket inside the same project? Is full access really necessary?
Seems gsutil was caching credentials. This comment gave me the solution:
gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE
gsutil -m acl -r set public-read gs://my_bucket/
command gives AccessDeniedException: 403 Forbidden error even I provide full access to my email id as owner to my_bucket.I am using blobstore api to upload the file in my project. How to solve this problem.
You probably need to set up Cloud API access for your virtual machine. Currently it needs to be set during VM creation process by enabling:
Allow full access to all Cloud APIs
To provide access for VM when you haven't chosen the above setting you need to recreate instance with full access, but there is pending improvement:
Google Cloud Platform Ability to change API access scopes
When it's done we will be able to change settings after shutting down instance.
I am using an instance template with the following metadata:
And project access:
Which is equivalent to the following command-line parameters:
gcloud compute --project "myProj" instance-templates create "myProj-template" --machine-type "n1-standard-2" --network "default" --metadata "startup-script-url=gs://my-bucket/startup-script.sh" --scopes "https://www.googleapis.com/auth/devstorage.read_only" --image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20150316" --boot-disk-type "pd-ssd" --boot-disk-device-name "myProj-template"
But when it comes to executing I'm getting the following error:
google: URL gs://my-bucket/startup-script.sh is not located in Google Storage
google: Downloading url from gs://my-bucket/startup-script.sh to /var/run/google.startup.script using curl
google: Failed to download gs://my-bucket/startup-script.sh
google: AccessDeniedException: 403 Access Not Configured. Please go to the Google Developers Console (https://cloud.google.com/console#/project) for your project, select APIs and Auth and enable the Google Cloud Storage JSON API.
google: curl: (1) Protocol gs not supported or disabled in libcurl
google: Could not download startup script gs://my-bucket/startup-script.sh.
I have confirmed that I do have the API access enabled on my project for Google Cloud Storage:
I think the error message is self-explanatory. You need Google Cloud Storage JSON API enabled. From your screenshot only Google Cloud Storage is enabled.
I'm trying to copy a file from my Windows machine (already set up, and I've been using it regularly for gsutil) to copy a file, but it keeps telling me I'm trying to access protected data with no configured credentials.
Yesterday, though, it was running fine.
E:\studioProjects3\demo\rsalib\build\libs>gsutil cp rsalib-1.0.jar gs://dark-b
lade-365.appspot.com
Copying file://rsalib-1.0.jar [Content-Type=application/octet-stream]...
Uploading gs://dark-blade-365.appspot.com/rsalib-1.0.jar: 0 B/4.14 KiB
Uploading gs://dark-blade-365.appspot.com/rsalib-1.0.jar: 4.14 KiB/4.14 K
iB
You are attempting to access protected data with no configured
credentials. Please visit https://cloud.google.com/console#/project
and sign up for an account, and then run the "gcloud auth login"
command to configure gsutil to use these credentials.
E:\studioProjects3\demo\rsalib\build\libs>gsutil acl get gs://dark-blade-365.a
ppspot.com
You are attempting to access protected data with no configured
credentials. Please visit https://cloud.google.com/console#/project
and sign up for an account, and then run the "gcloud auth login"
command to configure gsutil to use these credentials.
I'm 100% sure that I own this project/bucket and it shows up on my developer console.
What I've tried so far:
Running gcloud auth login to fetch a new token. I've already done this multiple times, and it's still given me the same exact error.
Tried ensuring the project is the same as the bucket, and not the second project that I've also set up to have "authorized access" to the bucket.
Tried rebooting my machine in case there was some environment issue
Tried gcloud auth revoke, followed by gcloud auth login again.
None of these has resolved my issue. This is what gcloud auth list shows:
E:\studioProjects3\demo\rsalib\build\libs>gcloud auth list
Credentialed accounts:
- yaraju#gmail.com (active)
To set the active account, run:
$ gcloud config set account ``ACCOUNT''
Please help me figure out what's going on here.
gsutil works fine from C:. But if I run it from E:\ it gets stuck and gives me that scary error message.
To fix:
Just run gsutil from any path on C:\ and give the absolute paths to whatever local paths you want to transfer from/to.
When executin the follow command:
gsutil notifyconfig watchbucket -i myapp-channel -t myapp-token https://myapp.appspot.com/gcsnotify gs://mybucket
I receive the follow answer, but I used the same command before in another buckets and it worked:
Watching bucket gs://mybucket/ with application URL https://myapp.appspot.com/gcsnotify...
Failure: <HttpError 401 when requesting https://www.googleapis.com/storage/v1beta2/b/mybucket/o/watch?alt=json returned "Unauthorized WebHook callback channel: https://myapp.appspot.com/gcsnotify">.
I used gsutil config to set permissions and tried with gsutil config -e also.
I already tried to set the permissions, made myself owner of the project, but is not working, any help?
I was getting the same error. You must configure gsutil to use a service account before you can watch a bucket.
An additional security requirement was recently added for Object Change Notification. You must add your endpoint domain as a trusted domain on your cloud project. To do that, the domain first has to be whitelisted with the Google Webmaster Tools.
See instructions here:
https://developers.google.com/storage/docs/object-change-notification#_Authorization
I also determined that I needed to:
Whitelist my appspot domain
Create a service account before I can watch a bucket.
At first I was using the google cloud shell and I figured it should just be authenticated. gsutil ls listed the objects in my bucket so I assumed I was authenticated. However that is not the case.
You need to instal gsutil or google cloud sdk, log in, get the .p12 file from the service account, and auth it as Wind Up Toy described. After that it will work.