Google Cloud Storage - insufficient permission
Question
The issue seems similar to another post, but It's different for me. Because I check the testIamPermission , and the returns showed that I got all permission I needed and still receive insufficient permission .
This is what I received:
{'storage.buckets.get' : true}
{'storage.buckets.getIamPolicy' : true}
{'storage.objects.create' : true}
{'storage.objects.delete' : true}
{'storage.objects.get' : true}
{'storage.objects.getIamPolicy' : true}
{'storage.objects.list' : true}
{'storage.objects.setIamPolicy' : true}
{'storage.objects.update' : true}
The code I used to test:
googleBucket.iam.testPermissions([testPermissions], function(err, permissions) {
if(!err)
console.log(permissions);
})
Permission I missed:
'storage.buckets.create',
'storage.buckets.delete',
'storage.buckets.list',
'storage.buckets.setIamPolicy',
'storage.buckets.update',
It's really confused that I got all permission on create objects, but still throw an insufficient permission . What I used for api is just uploading a file on bucket. Is there any permission I missed? (Server is located at Google Compute Engine, on the same project of Google Cloud Storage)
3 answers
solution1
3 2018-08-22 08:29:22
it would be rather interesting which user runs the script.
because, it seems that the user/service which runs the script only has the viewer , but not the editor role. check in the IAM , if you have the proper roles assigned to the proper service-account. you also might need to login to that GCE instance with cloud shell and add those service-account credentials. in cloud shell, there is a tiny "upload" button top-right, which can be used to upload the credentials json file into the VM. the documentation also explains this, step by step.
solution2
2 ACCPTED 2018-08-22 09:05:42
I have found the answer precisely. There is an option, called Identity and API Access , in Create a new instance page. Just Switch from Default to whatever access option(do config properly, tho), and the problem sloved!
For the answer provided by Martin Zeitler , It's not what GCE works on running the script, GCE automatically connect Its email to another API as Editor permission, and no need to Hook any json to Instance that established on GCE. As I mentioned that Server is located at Google Compute Engine, on the same project of Google Cloud Storage .
However, Documentation Link is fairly helpful, Thanks Martin Zeitler , give you an upvote for quick answer :)
solution3
1 2018-11-15 12:10:17
The Service account of your Google Cloud Compute Engine instance should match the one being used to access the Google Cloud Storage Bucket .
If it doesn't match, stop the instance, change the service account by selecting the correct service account from the drop box (Service accounts linked to only current project would be visible in the dropdown list).
Also, make sure that the selected Service account has correct Google Cloud Storage access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.