I am using Google Cloud Storage and Google Compute Engine and am trying to upload to my bucket from my VM. My bucket has read/write permissions and so does anyone that has access to it. They are labeled as Owner. I can download from my bucket fine. When I try to upload to my bucket, this is the error I get. ResumableUploadAbortException: 403 Insufficient Permission
. I am unsure as to why this is the case? Any clues?
Change the Cloud API access scope of the VM to allow read/write on Storage. This is in the "Access scopes" section of the VM settings. Your VM needs to be stopped to do this.
0. Stop VM instance
1. Open VM instance details
2. Press "Edit"
3. Change Cloud API access scope--> "Allow full access to all cloud APIs"
IMPORTANT!!
Note per this comment on a related post that you may need to delete the credentials in ~/.gsutil
after definint the new scope.
# VM instance console
sudo rm -r ~/.gsutil
On the GCE instance run the following to set up: There is no need restart Compute Engine,
gcloud init
Output will be something like this.
Choose the account you would like to use to perform operations for this configuration:
[1] [email protected]
[2] Log in with a new account
Please enter your numeric choice: 1
Choose number 1 to use a service account. If this is a shared machine and you log in with your personal account, your credentials could be used by anyone else on the machine. For more detail Read here
If you have already initialize gcloud you do not want reinitialize.
gcloud auth login
Are you using the default service account on the VM to access the bucket? That only has read scope by default. Try creating a VM with Read/Write scope.
You need to give your instance's service account permission to create objects in your storage bucket. Although the other answers achieve this, they may open up more permissions than you need. Here is how to add only the one single additional permission:
- Get your service account's email address:
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* [email protected]
- Open your bucket in the Cloud Console and go to the "Permissions" tab
- Click "Add Members"
- Paste in the service account's email address from above
- Under "Role", select "Storage Object Admin"
- Note: this gives permission to create, list, and delete objects. If you only need to create objects, you can try "Storage Object Creator" instead.
- Click "Save"
Note that this gives permissions to all instances sharing the same service account. If you need finer-grained access control, you should make a different service account for each instance.
After you do these steps, you need to reload the permissions as others have said:
rm -rf ~/.gsutil
rm -rf /root/.gsutil
let me put in a simpler steps if possible:
- From the console, stop the VM, edit access control and change "Storage" permission from READ to Write or full.
- Start the VM
Flush the cache from the command line
rm -r ~/.gsutil
This should be working.
When interacting with other Cloud Platform products, such as Google Cloud Storage (buckets), in non-interactive ways, such as from a VM instance, it's advisable to use scopes which in turn makes use of service accounts, the preferred way of authenticating VM / systems. Further reading can be found here.
if you are coming here looking for doing similar stuff on Windows, in addition to Daniel's answer follow these steps after restarting the instance.
Login and go to cmd line with administrative privilege and execute
rmdir /s /q C:\users\<your-login-account>\.gsutil
followed by
gcloud init
This will guide you through the re-initialization of your account with new privilege
Basically select 1 and then again 1 in the next step and you are set.
© 2022 - 2025 — McMap. All rights reserved.