gsutil ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket even though I'm loggedin in gcloud

余生长醉 提交于 2021-02-15 11:16:00

问题


I am trying to create an internal app to upload files to google cloud. I don't want each individual user or this app to log in so I'm using a service account. I login into the service account and everything is ok, but when I try to upload it gives me this error: ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket

As you can see I am logged in with a service account and my account and(neither service or personal) works


回答1:


I had similar problem, and as always, it took me 2 hours but the solution was trivial, if only it was written somewhere... I needed to login (or authorize, what suits you) to the gsutil in addition to being authorized to the gcloud. I thought they are linked or whatever, but nah. After I ran gsutil config and authorized via the provided link (and code that I pasted back to the console), it started working for me.

Note that I was also logged in to gcloud via a service account linked to my project and having the service account .json key saved locally (see gcloud auth activate-service-account --help). Hope this helps anyone struggling with this!




回答2:


gcloud auth login solved my issue. You need both steps:

gcloud auth login
gcloud auth application-default login



回答3:


I can only think of a few things that might cause you to see this error:

  1. Maybe you have an alias set up to a standalone installation of gsutil (which doesn't share credentials with gcloud)?
    Edit: it's also possible you're invoking the wrong gsutil entry point - make sure you're using <path-to-cloud-sdk>/google-cloud-sdk/bin/gsutil, and not <path-to-cloud-sdk>/google-cloud-sdk/platform/gsutil/gsutil. The platform path will not automatically know about your configured gcloud auth options.

  2. Maybe your service account credentials have moved/are invalid now? If your boto file is referring to a keyfile path and the keyfile was moved, this might happen.

  3. Maybe the gcloud boto file (that gcloud created to use with gsutil when you ran gcloud auth login) is gone. You can run gsutil version -l to see if it's shown in your config path. If gcloud's boto file is present, you should see a line similar to this:

    config path(s): /Users/Daniel/.config/gcloud/legacy_credentials/email@domain.tld/.boto

You can run gsutil version -l to get a bit more info and look into the possibilities above. In particular, these attributes from the output will probably be the most helpful: using cloud sdk, pass cloud sdk credentials to gsutil, config path(s), and gsutil path.




回答4:


It happened to me because I had an incomplete initialisation while running gcloud init. I reinitialised the configuration using gcloud init command and it worked fine.




回答5:


I faced the same problem. It took me two days to get this thing working. I am writing about the whole setup. please refer to step 2 for the answer to the question. FYI my OS is windows 10

Step 1: Firstly, I faced problems installing gcloud and this is what i did. The script(.\google-cloud-sdk\install.bat) which is supposed to add gcloud to the path was not working due to permission issues. I had to add the path manually in two places 1) In the system variables, to the "PATH" variable i added the path to the gcloud bin which should look like - C:\Users\774610\google-cloud-sdk\bin - in my case 2) Additionally gcloud needs python so to the "PATHEXT" variable i appended ".PY" at the end. After Performing these tasks gcloud started working.

Step 2: Even though gcloud is working, maven is not able to connect to cloud storage and the error was "401 Anonymous caller does not have storage.objects.list access to bucket" I was pretty sure i did login to my account and selected the correct project. I also tried adding environment variable as shown in this documentation "https://cloud.google.com/docs/authentication/getting-started" Nothing seemed to be working even though all the credentials were perfectly setup.

while going through the gcloud documentation I came across this command - "gcloud auth application-default login" which was exactly what i needed.

Refer here for difference between gcloud auth login and gcloud auth application default login In short what this command does is it obtains your credentials via a web flow and stores them in 'the well-known location for Application Default Credentials' and any code/SDK you run will be able to find the credentials automatically

After this, maven was successfully able to connect to google storage and do its stuff.

Hope this helps, thanks




回答6:


Does your service account actually have the required permission? The role(s) that will give you this permission are roles/storage.objectViewer / roles/storage.objectAdmin / roles/storage.admin.

Please ensure the service account actually have the permissions in your Cloud Console and then it should work.

--- UPDATE ---

Since you have the correct permission in the account, there it's likely the correct account wasn't used in the gsutil command. This can happen if you have multiple installations of your gsutil tool, please ensure your gsutil has the correct path point to a .BOTO file. There's a similar issue reported on the github repo. You can see if the solution there works.

Ultimately, you can use a new machine / vm with a fresh install to test it out to see if it works. You can this easily by going to the Cloud Console and using the Cloud Shell. No real installation needed, should be very simple to test.

This should work and it will basically isolate your issue (to that of multiple installation) on your original machine. After that, you basically just have to do a clean install to fix it.




回答7:


I had the same issue, tried to do gsutil config then it recommended me gcloud auth login which opened google in the browser. After i logged in, i could download with gsutil cp -r gs://my_bucket/Directory local_save_path the entire bucket and save it locally.




回答8:


If you installed gsutil using python (without gcloud SDK), it may help to run gsutil config and complete steps of initialisation.




回答9:



Thank you for all the replies.
I would like to share my own experience.
I had to login under the user which is defined when installing Gitlab Runner.
By default, the user indicated in the installation doc is : "gitlab-runner".
So, first, I added a password on this user:

passwd gitlab-runner

then :

su - gitlab-runner
gcloud auth login
gcloud auth application-default login

The issue is solved.
Maybe there is a better way, by directly putting the Google auth files under /home/gitlab-runner




回答10:


Personally, I had an account with proper permissions registered but I got that error as well despite verifying that my account was running using "sudo gcloud init"

What solved it for me was navigating to the ~/.gutil directory and writing the following

sudo chown jovyan:jovyan * 

which let my JupyterLab terminal run, not from root, but from default jovyan. After that it used my account, not Anonymous caller




回答11:


Here is another way to edit roles:

gsutil iam ch allUsers:objectViewer gs://tf-learn-objectdetection

Fore more documentation:

gsutil iam help



回答12:


I faced same issue. I used

gcloud auth login

and follow the link



来源:https://stackoverflow.com/questions/49302859/gsutil-serviceexception-401-anonymous-caller-does-not-have-storage-objects-list

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!