Google Cloud Storage access denied and MapReduce. Cannot add Service Account into developers list

3
votes


I'm running a MapReduce job on Google App Engine with a configuration similar to this: 

MapReduceSettings.Builder()
            .setBucketName("my-bucket")
            .setWorkerQueueName(QUEUE_NAME)
            .setModule(MODULE)
            .build();

The bucket is used for temporary data by App Engine itself.


The problem is that when I run the job, it fails with the following stacktrace:

com.sun.jersey.spi.container.ContainerResponse mapMappableContainerException: The RuntimeException could not be mapped to a response, re-throwing to the HTTP container
java.lang.RuntimeException: Writeable Bucket 'my-bucket' test failed. See http://developers.google.com/appengine/docs/java/googlecloudstorageclient/activate for more information on how to setup Google Cloude storage.
    at com.google.appengine.tools.mapreduce.MapReduceSettings.verifyAndSetBucketName(MapReduceSettings.java:134)
    at com.google.appengine.tools.mapreduce.MapReduceSettings.<init>(MapReduceSettings.java:89)
at com.google.appengine.tools.mapreduce.MapReduceSettings.<init>(MapReduceSettings.java:31)
    at com.google.appengine.tools.mapreduce.MapReduceSettings$Builder.build(MapReduceSettings.java:83)
    at
    ...
    ...
Caused by: com.google.appengine.tools.cloudstorage.NonRetriableException: java.lang.RuntimeException: Server replied with 403, verify ACLs are set correctly on the object and bucket: Request: DELETE https://storage.googleapis.com/my-bucket/2f249469-c77a-4540-bbbd-45fcd27d7600.tmp
User-Agent: App Engine GCS Client

no content

Response: 403 with 111 bytes of content
Content-Type: application/xml; charset=UTF-8
Content-Length: 111
Vary: Origin
Date: Tue, 12 Aug 2014 18:20:20 GMT
Expires: Tue, 12 Aug 2014 18:20:20 GMT
Cache-Control: private, max-age=0
Server: UploadServer ("Built on Jul 31 2014 18:25:34 (1406856334)")
Alternate-Protocol: 443:quic
X-Google-Cache-Control: remote-fetch
Via: HTTP/1.1 GWA
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message></Error>

I already tried to add the Service Account Name ([email protected]) as a team member but beside the user it keeps saying

Invitation sent. Waiting for response.

How can I add the Service Account into the developers list so I can give it access to my bucket?

Thanks

1
google-app-enginemapreducegoogle-cloud-storagebucketservice-accounts

1 Answers

2
votes

I solved it using the gsutils command line tool:

gsutil acl ch -u [email protected]:WRITE gs://my-bucket

According to Google Storage documentation, sometimes it's not possible to add the service account into the developers list, even if they don't say why

Note: In some circumstances, you might not be able to add the service account as a team member. If you cannot add the service account, use the alternative method, bucket ACLs, as described next.