GCP service account permissions

GCP newbie here, hopefully there is a quick answer I'm missing.

I have project with a GCE VM running in it. I'd like to backup a data set from time to time to GCP's object storage. My plan is to run 'gsutil rsync ...' from a cron job.

I created a bucket for the job to use. I did not edit permissions, roles or anything on the bucket.

I run "sudo su -" so that I am running as root, as I expect a cron job will, then type

gsutil rsync -r -d <dir to back up> gs://<bucket>/

and I get

AccessDeniedException: 403 Insufficient Permission

While in this state, I typed 'gcloud config list' and got

account = <xyz>[email protected]

disable_usage_reporting = True

project = <project id>

Your active configuration is: [default]

This is the default service account created when I created the VM. I've not done any editing on it.

In the console, I went to IAM->service accounts, click on this service account, click on the permissions tab, and I see that this service account is an Editor on <project id>

In the console I go to Cloud Storage, Browse, click on my bucket, go to the permissions tab, and I see that the role of Editor on has roles 'Storage Legacy Bucket Owner' and 'Storage Legacy Object Owner' Looking at those roles, I am told the first is read/write access to existing buckets with create/list/delete permissions on objects. The second gives me read/write access to existing objects.

I've verified that the bucket is, at the moment, empty.

What do I need to do to enable my gsutil command to run with sufficient permissions?


Solution 1:

Most likely your problem is insufficient Compute Engine VM instance Cloud API Access Scopes.

The gsutil rsync command requires the following permissions:

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list
  • storage.objects.get # required for bucket to bucket copies

The role roles/editor has none of those permissions.

Google Cloud Compute Engine VM instances use two methods to authorize:

  • The default service account
  • Cloud API Access Scopes

The service account must have a role granting the permissions listed above OR the service account identity must be granted access to the bucket and its contents. Google Cloud Storage supports two different authorization methods. For the sake of simplicity, I recommend that you add a required role to the service account. For your use case gsutil rsync, I recommend adding the role roles/storage.legacyBucketOwner.

However, even if the service account has the required permissions via roles, the Compute Engine Cloud API Access Scopes can take away those permissions. Go to the Google Cloud Console, select your VM instance. Check what scopes are enabled. You should either enable "Storage: Full" or "Allow full access to all Cloud APIs". Otherwise, the service account will be limited in the permissions obtained for OAuth Access Tokens that gsutil requires for authorization.

Compute Engine VM instance Cloud API Access Scopes