0

I am trying to mount a GCP storage bucket using gcsfuse and service account authentication. Everything mount OK but i only have read permission, see below;

hannel@gcpxxxxxxd1:~$ gcsfuse --dir-mode 777 --file-mode 777 test /testing
Using mount point: /testing
Opening GCS connection...
Opening bucket...
Mounting file system...
File system has been successfully mounted.
hannel@gcpxxxxxxd1:~$ ls /testing/
Huh...
hannel@gcpxxxxxd1:~$ echo "test" | sudo tee -a /testing/test.log
tee: /testing/test.log: Permission denied

I have confirm the service account has full Storage Admin permission to write to storage service.

https://i.stack.imgur.com/kSH3U.png

I have confirm that the instance metadata service is picking up service account

Image

https://i.stack.imgur.com/CCU2W.png

The only issue i see is that the call for scopes from the instance metadata service seems to returning 'weird' information https://www.googleapis.com/auth/cloud-platform

curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/xxxxx-768@xxxx-246521.iam.gserviceaccount.com/scopes -H "Metadata-Flavor: Google"

Image

https://i.stack.imgur.com/owLr6.png

I really do not want to use the Key JSON workaround

Questions:

Is this a know issue?

Am i doing something wrong?

Any help is greatly appreciated

Hannel
  • 1,656
  • 3
  • 10
  • 17
  • Go to Google Cloud Console. Select your VM. Near the bottom of the details window, what do you have set for "Cloud API access scopes"? You will want "Allow full access to all Cloud APIs" which then means that access is controlled by the Compute Engine service account. – John Hanley Jul 13 '19 at 19:15
  • The default setting for Compute Engine scopes is "Read Only" for Cloud Storage. – John Hanley Jul 13 '19 at 19:16
  • It is set to full by default and managed by IAM when using a custom service account. https://i.imgur.com/e1lRxs0.png – Hannel Jul 13 '19 at 20:12
  • The default IAM settings for the Compute Engine Default Service Account is "Allow default access". This means many APIs are limited in scope. – John Hanley Jul 13 '19 at 21:22

1 Answers1

1

Closing Loop on this.

It is now working with no changes, I believe the issue must have been IAM permission replication. Guess a 15 minutes was time was not long enough, an hours seems to have done the trick.

Hannel
  • 1,656
  • 3
  • 10
  • 17
  • Hi Hannel, good work finding the solution! Can you own answer? It will make it more visible and help someone with the same issue as you find the solution. Thanks! – Pawel Czuczwara Jul 15 '19 at 11:15
  • @PawelCzuczwara plan on doing that. There is a wait time to mark you own question as answered. – Hannel Jul 15 '19 at 15:09