gcloud installed on gce instance with service level accounts permission issues

Question

I launched an instance with service level accounts enabled. For example it has storage-rw set. I verfied that the instance has those. Now whenever i run gsutil ls gs://my_bucket from within the instance I get the error: Failure: unauthorized_client.

gcloud auth list returns

Credentialed accounts:
 - [email protected] (active)

I need to use gcloud sdk from an instance because i need more components other than the gcutil and gsutil.

So my question is how can I authorize gcloud to use the [email protected] account and thus the permissions only specified on the instance and not my personal user account which has full permissions to everything?

Could it be a bucket-level permission issue? Just because your service account has rw access to storage doesn't necessarily give it bucket access. Can you create buckets from your instance? — user3385351
@user3385351 - no i cannot even create a bucket. Same error unauthorized client. — jaran

John Asmuth John Asmuth · Accepted Answer · 2014-03-05T20:43:04

The gcloud CLI definitely handles Google Compute Engine service accounts. If you see it as "(active)" when you do $ gcloud auth list, that should be sufficient.

Two things can be going wrong here:

You are using the wrong gsutil.

When you install the Google Cloud SDK, it will create google-cloud-sdk/bin/gsutil, and THAT is the one you want to run. Do $ which gsutil to double check. If you're running google-cloud-sdk/platform/gsutil/gsutil, that's the wrong one, and it won't know about anything that gcloud can tell it.
The account doesn't have permissions to access the bucket you're trying to inspect. You'll have to ask the owner of the bucket to add it to the project that owns that bucket.

Source: Engineer for the Google Cloud SDK

gcloud installed on gce instance with service level accounts permission issues

2 Answers