Hello Cloud Gurus,
Exploring things related to the GCE In and Out lecture, I got myself really interested to know more about them below:
pimballeke@myhappyvm:~$ curl -H "Metadata-Flavor:Google" metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes https://www.googleapis.com/auth/devstorage.read_only https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/monitoring.write https://www.googleapis.com/auth/pubsub https://www.googleapis.com/auth/service.management.readonly https://www.googleapis.com/auth/servicecontrol https://www.googleapis.com/auth/trace.append
After listing the below scopes, I see that it make sense if I say I can list buckets from the myhappyvm because the VM is set with the https://www.googleapis.com/auth/devstorage.read_only__, am I right? And as it set for read_only, I tested the below:
pimballeke@myhappyvm:~$ touch file pimballeke@myhappyvm:~$ echo 1 > file pimballeke@myhappyvm:~$ cat file 1 pimballeke@myhappyvm:~$ gsutil cp file gs://sackdoidalacka/ Copying file://file [Content-Type=application/octet-stream]... AccessDeniedException: 403 Insufficient Permission pimballeke@myhappyvm:~$ gsutil ls gs://sackdoidalacka/ gs://sackdoidalacka/README-cloudshell gs://sackdoidalacka/README-cloudshell.txt
Going a little bit further, I would like to prove it is correct, I would like to add the read_write scope and cp file to a bucket. I got out of the myhappyvm and ran the following:
pimballeke@cloudshell:~/.ssh (optimistic-leaf-265401)$ gcloud alpha compute instances set-scopes myhappyvm --scopes https://www.googleapis.com/auth/devstorage.read_write ERROR: (gcloud.alpha.compute.instances.set-scopes) Could not fetch resource: - Required 'Alpha Access' permission for 'Compute API'
Reading further about the Required ‘Alpha Access’ permission for ‘Compute API’, I found an answer of a Google Engineer saying that it requires whitelisting the alpha command so it can access the Compute API and put up the request.
How can I do that? Any comments? I’m researching that yet so I can also find the resolution for this case.
1 Answers
Maybe you already figured it out, but adding it here for future readers.
You are attempting to us an alpha command and those are seems to invitation only as far as I understand. See https://stackoverflow.com/questions/58343195/alpha-access-to-instance-group-method
However you can run the same command but as beta and it seem to work. So instead do
gcloud beta compute instances set-scopes myhappyvm --scopes https://www.googleapis.com/auth/devstorage.read_write It will prompt you and say that you will have to stop your VM before editing scopes. You can do that by running gcloud compute instances stop myhappyvm
Run the command to modify the scope and start again by running gcloud compute instances start myhappyvm
If you curl the scope endpoint now it should say read_write.
Seems like gsutil caches the permissions so you might have to remove the .gsutil folder before attempting to copy the file with gsutil.
Thanks, Björn. I’ll try it out and let you know soon!