Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GCS write access from inside a GKE pod

Tags:

google-kubernetes-engine

google-cloud-storage

I am not able to get write access to a GCS bucket from within a GKE pod.

I have a GKE pod running. I have not changed any k8s configuration regarding service accounts. I have docker exec'd into the pod and installed gcloud/gsutil. gcloud auth list shows a [email protected] entry. From within GCS I have added that same account as storage admin, storage legacy bucket owner, storage object creator (i.e., I just tried a bunch of stuff). I am able to run gsutil ls gs://bucket. However when running gsutil cp file gs://bucket, it prints:

AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation. 
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform

gsutil acl get gs://bucket prints:

AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://bucket

Other things I have tried are adding the allUsers and allAuthenticatedUsers as creators and owners of the bucket, with no change. I am able to write to the bucket from my dev machine just fine.

When I run gsutil acl get gs://bucket from another machine, it prints the same address as an OWNER as the output from gcloud auth list from within the pod.

What is the special sauce I need to allow the pod to write to the bucket?

like image 331
mjibson Avatar asked Oct 29 '22 01:10

mjibson

2 Answers

You need to set permissions for cluster (or better for particular node in case of Terraform):

    oauth_scopes = [
      "https://www.googleapis.com/auth/devstorage.read_write", // 'ere we go!
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/service.management.readonly",
      "https://www.googleapis.com/auth/servicecontrol",
      "https://www.googleapis.com/auth/trace.append",
      "https://www.googleapis.com/auth/compute",
    ]
like image 146
orkenstein Avatar answered Nov 09 '22 23:11

orkenstein

The GKE cluster was created with default permissions, which only has read scope to GCS. Solutions:

  1. Apply advice from Changing Permissions of Google Container Engine Cluster
  2. Set GOOGLE_APPLICATION_CREDENTIALS as described in https://developers.google.com/identity/protocols/application-default-credentials
like image 44
mjibson Avatar answered Nov 10 '22 01:11

mjibson
Sign in to Comment

Related questions

Deadlock in Google Storage API
Unable to Push to Google Container Registry (access denied)
Cloud SQL import permissions issues for Cloud Storage bucket
How to signed url for Google cloud storage on Google App Engine Standard environment with Python3.7?
Downloading an object byte range from Google Cloud Storage using Java SDK
Getting 403 "Anonymous caller does not have storage.objects.get access" when trying to upload to GCS with signed URLs
Airflow export all tables of a postgres DB to BigQuery
Google Cloud Storage - Python Client - Get Link URL of a blob
How can store a file on Google Storage from URL on Google App Engine?
ApplicationError: 7 when processing is done for mapreduce worker writing to Google Cloud Storage
Is Google Cloud Storage indexed in search?
How to set CacheControl in the new Cloud Storage Api (Python)?
Google Cloud Console "loading" forever
How to use Google Cloud Storage for PHP?
Errno 185090050 _ssl.c:343: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib, after packaging to exe by PyInstaller
What's the difference in GET operations in Google Cloud Storage?
How to easily send local file to Google Cloud Storage in Scala
Google Storage Image Serving Cache

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!