ResumableUploadAbortException: 403 Insufficient Permission
Asked Answered
N

7

39

I am using Google Cloud Storage and Google Compute Engine and am trying to upload to my bucket from my VM. My bucket has read/write permissions and so does anyone that has access to it. They are labeled as Owner. I can download from my bucket fine. When I try to upload to my bucket, this is the error I get. ResumableUploadAbortException: 403 Insufficient Permission . I am unsure as to why this is the case? Any clues?

Nerty answered 19/2, 2015 at 16:50 Comment(0)
C
126

Change the Cloud API access scope of the VM to allow read/write on Storage. This is in the "Access scopes" section of the VM settings. Your VM needs to be stopped to do this.

0. Stop VM instance
1. Open VM instance details
2. Press "Edit"
3. Change Cloud API access scope--> "Allow full access to all cloud APIs"

....

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

IMPORTANT!! Note per this comment on a related post that you may need to delete the credentials in ~/.gsutil after definint the new scope.

# VM instance console
sudo rm -r ~/.gsutil
Casuist answered 12/1, 2017 at 2:17 Comment(5)
TILT: rm -rf ~/.gsutilHawse
In addition to this you need to make sure that the Service Account can create objects in the bucket. You can do this by going to the bucket, clicking on Permissions, and adding the Service Account email with a Storage Object Creator role.Popovich
Just a note that instead of choosing "Allow full access to all Cloud APIs" as recommended on current version of documentation, is it possible to choose "Set access for each API" and then proceed to Storage combobox selection and set Full to itDoorframe
This did the trick # VM instance console sudo rm -r ~/.gsutilEffloresce
In my case I used sudo gsutil, so it used another user and did not upload until I removed sudo.Radbun
D
14

On the GCE instance run the following to set up: There is no need restart Compute Engine,

gcloud init

Output will be something like this.

Choose the account you would like to use to perform operations for  this configuration:
 [1] [email protected]
 [2] Log in with a new account
Please enter your numeric choice: 1

Choose number 1 to use a service account. If this is a shared machine and you log in with your personal account, your credentials could be used by anyone else on the machine. For more detail Read here

If you have already initialize gcloud you do not want reinitialize.

gcloud auth login 
Dorison answered 31/10, 2019 at 10:43 Comment(1)
this is a good, working answer if you don't want to restart the VM.Manciple
G
5

Are you using the default service account on the VM to access the bucket? That only has read scope by default. Try creating a VM with Read/Write scope.

Gash answered 20/2, 2015 at 16:48 Comment(2)
I have to recreate another VM Instance? I have applications programmed to point to my current VM's IP Address. If I create a new VM Instance I would be assigned a new IP address. Is there a way I could give my account write permissions without doing this?Nerty
I don't think there is any way to change the permissions on a running instance. If you need a specific IP address to remain constant, I would recommend reserving a static IP address: cloud.google.com/compute/docs/…Gash
H
4

You need to give your instance's service account permission to create objects in your storage bucket. Although the other answers achieve this, they may open up more permissions than you need. Here is how to add only the one single additional permission:

  1. Get your service account's email address:
$ gcloud auth list
                  Credentialed Accounts
ACTIVE  ACCOUNT
*       [email protected]
  1. Open your bucket in the Cloud Console and go to the "Permissions" tab
  2. Click "Add Members"
  3. Paste in the service account's email address from above
  4. Under "Role", select "Storage Object Admin"
    • Note: this gives permission to create, list, and delete objects. If you only need to create objects, you can try "Storage Object Creator" instead.
  5. Click "Save"

Note that this gives permissions to all instances sharing the same service account. If you need finer-grained access control, you should make a different service account for each instance.

After you do these steps, you need to reload the permissions as others have said:

rm -rf ~/.gsutil
rm -rf /root/.gsutil
Hardspun answered 6/4, 2020 at 5:30 Comment(1)
you are the rock star!Uracil
A
3

let me put in a simpler steps if possible:

  1. From the console, stop the VM, edit access control and change "Storage" permission from READ to Write or full.
  2. Start the VM
  3. Flush the cache from the command line

    rm -r ~/.gsutil

This should be working.

Azole answered 26/6, 2019 at 4:49 Comment(0)
L
2

When interacting with other Cloud Platform products, such as Google Cloud Storage (buckets), in non-interactive ways, such as from a VM instance, it's advisable to use scopes which in turn makes use of service accounts, the preferred way of authenticating VM / systems. Further reading can be found here.

Leif answered 20/2, 2015 at 12:14 Comment(0)
N
0

if you are coming here looking for doing similar stuff on Windows, in addition to Daniel's answer follow these steps after restarting the instance.

Login and go to cmd line with administrative privilege and execute

rmdir /s /q C:\users\<your-login-account>\.gsutil

followed by

gcloud init 

This will guide you through the re-initialization of your account with new privilege enter image description here

Basically select 1 and then again 1 in the next step and you are set.

Nee answered 28/9, 2022 at 18:45 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.