0

I have a bucket with initialization actions, that has the following ACL:

  • deployment_service_user: Owner
  • dataproc_service_user: Reader

Objects in the bucket have the same ACL. While all users involved into launching that cluster should have the access (gcloud runs as deployment_service_user, and workers should run as dataproc_service_user), I'm getting the following access error:

  stderr: ERROR: (gcloud.beta.dataproc.clusters.create) INVALID_ARGUMENT: 
  Multiple validation errors:
   - Access denied for Google Cloud Storage object: 'gs://init-action-bucket/my-init-action.sh'

When I'm adding the following rule to the ACL, it works fine:

  • project viewers: Reader

Is it possible to specify more specific permission instead of allowing project viewers to read from initialization actions?

chemikadze
  • 815
  • 4
  • 12

1 Answers1

2

Thanks for asking! This is something not very clear in the docs.

The answer depends on whether you're using the Default or Custom Service Account with dataproc VMs.

If you specified a Custom Service Account (as --service-account in gcloud) then you should give reader access to this account. If you're using a custom service account, you still have to give reader access to the Default service account (due to a known issue).

On the other hand if you're not explicitly specifying a service account, then you're using the Compute Engine default service account. It usually looks like this: <your-project-number>-compute@developer.gserviceaccount.com. Give reader to this account.

The user creating the cluster is not required to have acls on init actions.

tix
  • 2,138
  • 11
  • 18
  • Yeah, I was using custom service account... If it is required to provide default service account with access as well, than it explains everything. I'll try, thanks a lot! – chemikadze Jun 24 '17 at 00:13