Recovering access after initially provisioning wrong scopes for an instance

up vote
0
down vote

favorite

I recently created a VM, but mistakenly gave the default service account Storage: Read Only permissions instead of the intended Read Write under "Identity & API access", so GCS write operations from the VM are now failing.

enter image description here

I realized my mistake, so following the advice in this answer, I stopped the VM, changed the scope to Read Write and started the VM. However, when I SSH in, I'm still getting 403 errors when trying to create buckets.

$ gsutil mb gs://some-random-bucket

Creating gs://some-random-bucket/...

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.

Acceptable scopes: https://www.googleapis.com/auth/cloud-platform

How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.

$ gcloud auth list

Credentialed Accounts

ACTIVE  ACCOUNT

*       (projectnum)-compute@developer.gserviceaccount.com

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

This question has an open bounty worth +100
reputation from jpatokal ending in 5 days.

This question has not received enough attention.

Does your personal account have permission to create a bucket? Just wanted to propose a different solution - create the bucket yourself and then grant the service account write permission to the bucket with gsutil acl ch -u (projectnum)-compute@developer.gserviceaccount.com:W gs://example-bucket OR from GCP consul by selecting the bucket and modifying it permissions.
– Daniel t.
yesterday

add a comment |

up vote
0
down vote

favorite

enter image description here

$ gsutil mb gs://some-random-bucket

Creating gs://some-random-bucket/...

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.

Acceptable scopes: https://www.googleapis.com/auth/cloud-platform

How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.

$ gcloud auth list

Credentialed Accounts

ACTIVE  ACCOUNT

*       (projectnum)-compute@developer.gserviceaccount.com

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

This question has an open bounty worth +100
reputation from jpatokal ending in 5 days.

This question has not received enough attention.

Does your personal account have permission to create a bucket? Just wanted to propose a different solution - create the bucket yourself and then grant the service account write permission to the bucket with gsutil acl ch -u (projectnum)-compute@developer.gserviceaccount.com:W gs://example-bucket OR from GCP consul by selecting the bucket and modifying it permissions.
– Daniel t.
yesterday

add a comment |

up vote
0
down vote

favorite

enter image description here

$ gsutil mb gs://some-random-bucket

Creating gs://some-random-bucket/...

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.

Acceptable scopes: https://www.googleapis.com/auth/cloud-platform

How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.

$ gcloud auth list

Credentialed Accounts

ACTIVE  ACCOUNT

*       (projectnum)-compute@developer.gserviceaccount.com

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

enter image description here

$ gsutil mb gs://some-random-bucket

Creating gs://some-random-bucket/...

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.

Acceptable scopes: https://www.googleapis.com/auth/cloud-platform

How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.

$ gcloud auth list

Credentialed Accounts

ACTIVE  ACCOUNT

*       (projectnum)-compute@developer.gserviceaccount.com

google-cloud-storage google-compute-engine permission-denied service-accounts

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

edited Nov 7 at 22:43

asked Nov 7 at 6:05

jpatokal

16k55677

asked Nov 7 at 6:05

jpatokal

16k55677

asked Nov 7 at 6:05

jpatokal

16k55677

This question has an open bounty worth +100
reputation from jpatokal ending in 5 days.

This question has not received enough attention.

This question has an open bounty worth +100
reputation from jpatokal ending in 5 days.

This question has not received enough attention.

Does your personal account have permission to create a bucket? Just wanted to propose a different solution - create the bucket yourself and then grant the service account write permission to the bucket with gsutil acl ch -u (projectnum)-compute@developer.gserviceaccount.com:W gs://example-bucket OR from GCP consul by selecting the bucket and modifying it permissions.
– Daniel t.
yesterday

add a comment |

Does your personal account have permission to create a bucket? Just wanted to propose a different solution - create the bucket yourself and then grant the service account write permission to the bucket with gsutil acl ch -u (projectnum)-compute@developer.gserviceaccount.com:W gs://example-bucket OR from GCP consul by selecting the bucket and modifying it permissions.
– Daniel t.
yesterday

Does your personal account have permission to create a bucket? Just wanted to propose a different solution - create the bucket yourself and then grant the service account write permission to the bucket with gsutil acl ch -u (projectnum)-compute@developer.gserviceaccount.com:W gs://example-bucket OR from GCP consul by selecting the bucket and modifying it permissions.
– Daniel t.
yesterday

add a comment |

2 Answers
2

active

oldest

votes

up vote
0
down vote

Try creating the Google Cloud Storage bucket with your user account.

Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.

Then do gsutil mb gs://bucket-name.

answered yesterday

Maxim

134

add a comment |

up vote
0
down vote

The security model has 2 things at play, API Scopes and IAM permissions. Access is determined by the AND of them. So you need an acceptable scope and enough IAM privileges in order to do whatever action.

API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.

IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.

This means you can have 2 VMs with the default service account but both have different levels of access.

For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.

To check if you have this setup go to the VM in cloud console and you'll see something like:

Cloud API access scopes

Allow full access to all Cloud APIs

When you SSH into the VM by default gcloud will be logged in as the service account on the VM. I'd discourage logging in as yourself otherwise you more or less break gcloud's configuration to read the default service account.

Once you have this setup you should be able to use gsutil properly.

answered yesterday

Jeremy Edwards

9,924156798

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53184334%2frecovering-access-after-initially-provisioning-wrong-scopes-for-an-instance%23new-answer', 'question_page');
}
);

Post as a guest

Name

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

up vote
0
down vote

Try creating the Google Cloud Storage bucket with your user account.

Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.

Then do gsutil mb gs://bucket-name.

answered yesterday

Maxim

134

add a comment |

up vote
0
down vote

Try creating the Google Cloud Storage bucket with your user account.

Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.

Then do gsutil mb gs://bucket-name.

answered yesterday

Maxim

134

add a comment |

up vote
0
down vote

Try creating the Google Cloud Storage bucket with your user account.

Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.

Then do gsutil mb gs://bucket-name.

answered yesterday

Maxim

134

Try creating the Google Cloud Storage bucket with your user account.

Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.

Then do gsutil mb gs://bucket-name.

answered yesterday

Maxim

134

answered yesterday

Maxim

134

answered yesterday

Maxim

134

answered yesterday

Maxim

134

add a comment |

up vote
0
down vote

API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.

IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.

This means you can have 2 VMs with the default service account but both have different levels of access.

For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.

To check if you have this setup go to the VM in cloud console and you'll see something like:

Cloud API access scopes

Allow full access to all Cloud APIs

Once you have this setup you should be able to use gsutil properly.

answered yesterday

Jeremy Edwards

9,924156798

add a comment |

up vote
0
down vote

API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.

IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.

This means you can have 2 VMs with the default service account but both have different levels of access.

For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.

To check if you have this setup go to the VM in cloud console and you'll see something like:

Cloud API access scopes

Allow full access to all Cloud APIs

Once you have this setup you should be able to use gsutil properly.

answered yesterday

Jeremy Edwards

9,924156798

add a comment |

up vote
0
down vote

API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.

IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.

This means you can have 2 VMs with the default service account but both have different levels of access.

For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.

To check if you have this setup go to the VM in cloud console and you'll see something like:

Cloud API access scopes

Allow full access to all Cloud APIs

Once you have this setup you should be able to use gsutil properly.

answered yesterday

Jeremy Edwards

9,924156798

API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.

IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.

This means you can have 2 VMs with the default service account but both have different levels of access.

For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.

To check if you have this setup go to the VM in cloud console and you'll see something like:

Cloud API access scopes

Allow full access to all Cloud APIs

Once you have this setup you should be able to use gsutil properly.

answered yesterday

Jeremy Edwards

9,924156798

answered yesterday

Jeremy Edwards

9,924156798

answered yesterday

Jeremy Edwards

9,924156798

answered yesterday

Jeremy Edwards

9,924156798

add a comment |

draft saved

draft discarded

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Name

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Zystkmt