gsutil copy returning "AccessDeniedException: 403 Insufficient Permission" from GCE
One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.
For example, if you had created your VM with devstorage.read_only
scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control
or devstorage.read_write
.
See the section on Preparing an instance to use service accounts for details.
Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.
After adding necessary scopes to the VM, gsutil
may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil
before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)
You have to log in with an account that has the permissions you need for that project:
gcloud auth login
gsutil config -b
Then surf to the URL it provides, [ CLICK Allow ]
Then copy the verification code and paste to terminal.
- Stop VM
- goto --> VM instance details.
- in "Cloud API access scopes" select "Allow full access to all Cloud APIs" then Click "save".
- restart VM and Delete ~/.gsutil .
I have written an answer to this question since I can not post comments:
This error can also occur if you're running the gsutil
command with a sudo
prefix in some cases.