Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

GCS & GCS Permissions Model Changed?

Working through the lab I ran into an issue where gsutil would return 403 trying to copy the log file out.  I did change the scopes on the VM configuration to storage read/write prior to this issue, in the end I had to explicitly add the VM service account to the bucket with legacyBucketReader and legacyBucketWriter roles in order for the file to copy correctly.  I did not see this when reviewing the demo videos later.

Has google changed their permission handling since the video was made to require this extra step?

Here is a snip of the commands and json I needed to make things work when doing things through the shell:

gsutil mb -c multi_regional -l us gs://challenge-lab-bucket

gsutil iam get gs://challenge-lab-bucket > bucket_permissions.json

gcloud services enable compute.googleapis.com

gcloud iam service-accounts list

**Edit bucket_permissions.json – use service account from prev command

gsutil iam set bucket_permissions.json gs://challenge-lab-bucket

{

"bindings": [

{

"members": [

"projectEditor:challenge-lab-",

"projectOwner:challenge-lab-"

],

"role": "roles/storage.legacyBucketOwner"

},

{

"members": [

"projectViewer:challenge-lab-",

"serviceAccount:XXXXXX-compute@developer.gserviceaccount.com"

],

"role": "roles/storage.legacyBucketReader"

},

{

"members": [

"serviceAccount:XXXXXX-compute@developer.gserviceaccount.com"

],

"role": "roles/storage.legacyBucketWriter"

}

],

"etag": "CAE="

}

1 Answers

I did this with Terraform, but all I had to do was add the following scopes to the Google-managed Service Account:

service_account {  
    scopes = ["logging-write", "storage-rw"]  
}

I got those from the list of scopes here. That did the trick for me, I didn’t have to make any changes to the bucket itself.

For what its worth, In a later lecture it is recommended that we use the following to make policy-role bindings (rather than acquiring, editing and redeploying the JSON):

cloud iam service-accounts add-iam-policy-binding
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?