问题
I am trying to create an internal app to upload files to google cloud. I don't want each individual user or this app to log in so I'm using a service account. I login into the service account and everything is ok, but when I try to upload it gives me this error: ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket
As you can see I am logged in with a service account and my account and(neither service or personal) works
回答1:
I had similar problem, and as always, it took me 2 hours but the solution was trivial, if only it was written somewhere... I needed to login (or authorize, what suits you) to the gsutil in addition to being authorized to the gcloud. I thought they are linked or whatever, but nah. After I ran gsutil config
and authorized via the provided link (and code that I pasted back to the console), it started working for me.
Note that I was also logged in to gcloud via a service account linked to my project and having the service account .json key saved locally (see gcloud auth activate-service-account --help
). Hope this helps anyone struggling with this!
回答2:
gcloud auth login
solved my issue. You need both steps:
gcloud auth login
gcloud auth application-default login
回答3:
I can only think of a few things that might cause you to see this error:
Maybe you have an alias set up to a standalone installation of gsutil (which doesn't share credentials with gcloud)?
Edit: it's also possible you're invoking the wrong gsutil entry point - make sure you're using<path-to-cloud-sdk>/google-cloud-sdk/bin/gsutil
, and not<path-to-cloud-sdk>/google-cloud-sdk/platform/gsutil/gsutil
. Theplatform
path will not automatically know about your configured gcloud auth options.Maybe your service account credentials have moved/are invalid now? If your boto file is referring to a keyfile path and the keyfile was moved, this might happen.
Maybe the gcloud boto file (that gcloud created to use with gsutil when you ran
gcloud auth login
) is gone. You can rungsutil version -l
to see if it's shown in your config path. If gcloud's boto file is present, you should see a line similar to this:config path(s): /Users/Daniel/.config/gcloud/legacy_credentials/email@domain.tld/.boto
You can run gsutil version -l
to get a bit more info and look into the possibilities above. In particular, these attributes from the output will probably be the most helpful: using cloud sdk
, pass cloud sdk credentials to gsutil
, config path(s)
, and gsutil path
.
回答4:
It happened to me because I had an incomplete initialisation while running gcloud init
.
I reinitialised the configuration using gcloud init
command and it worked fine.
回答5:
I faced the same problem. It took me two days to get this thing working. I am writing about the whole setup. please refer to step 2 for the answer to the question. FYI my OS is windows 10
Step 1: Firstly, I faced problems installing gcloud and this is what i did. The script(.\google-cloud-sdk\install.bat) which is supposed to add gcloud to the path was not working due to permission issues. I had to add the path manually in two places 1) In the system variables, to the "PATH" variable i added the path to the gcloud bin which should look like - C:\Users\774610\google-cloud-sdk\bin - in my case 2) Additionally gcloud needs python so to the "PATHEXT" variable i appended ".PY" at the end. After Performing these tasks gcloud started working.
Step 2: Even though gcloud is working, maven is not able to connect to cloud storage and the error was "401 Anonymous caller does not have storage.objects.list access to bucket" I was pretty sure i did login to my account and selected the correct project. I also tried adding environment variable as shown in this documentation "https://cloud.google.com/docs/authentication/getting-started" Nothing seemed to be working even though all the credentials were perfectly setup.
while going through the gcloud documentation I came across this command - "gcloud auth application-default login" which was exactly what i needed.
Refer here for difference between gcloud auth login and gcloud auth application default login In short what this command does is it obtains your credentials via a web flow and stores them in 'the well-known location for Application Default Credentials' and any code/SDK you run will be able to find the credentials automatically
After this, maven was successfully able to connect to google storage and do its stuff.
Hope this helps, thanks
回答6:
Does your service account actually have the required permission? The role(s) that will give you this permission are roles/storage.objectViewer / roles/storage.objectAdmin / roles/storage.admin.
Please ensure the service account actually have the permissions in your Cloud Console and then it should work.
--- UPDATE ---
Since you have the correct permission in the account, there it's likely the correct account wasn't used in the gsutil command. This can happen if you have multiple installations of your gsutil tool, please ensure your gsutil has the correct path point to a .BOTO file. There's a similar issue reported on the github repo. You can see if the solution there works.
Ultimately, you can use a new machine / vm with a fresh install to test it out to see if it works. You can this easily by going to the Cloud Console and using the Cloud Shell. No real installation needed, should be very simple to test.
This should work and it will basically isolate your issue (to that of multiple installation) on your original machine. After that, you basically just have to do a clean install to fix it.
回答7:
I had the same issue, tried to do gsutil config
then it recommended me gcloud auth login
which opened google in the browser. After i logged in, i could download with gsutil cp -r gs://my_bucket/Directory local_save_path
the entire bucket and save it locally.
回答8:
If you installed gsutil using python (without gcloud SDK), it may help to run gsutil config
and complete steps of initialisation.
回答9:
Thank you for all the replies.
I would like to share my own experience.
I had to login under the user which is defined when installing Gitlab Runner.
By default, the user indicated in the installation doc is : "gitlab-runner".
So, first, I added a password on this user:
passwd gitlab-runner
then :
su - gitlab-runner
gcloud auth login
gcloud auth application-default login
The issue is solved.
Maybe there is a better way, by directly putting the Google auth files under /home/gitlab-runner
回答10:
Personally, I had an account with proper permissions registered but I got that error as well despite verifying that my account was running using "sudo gcloud init"
What solved it for me was navigating to the ~/.gutil directory and writing the following
sudo chown jovyan:jovyan *
which let my JupyterLab terminal run, not from root, but from default jovyan. After that it used my account, not Anonymous caller
回答11:
Here is another way to edit roles:
gsutil iam ch allUsers:objectViewer gs://tf-learn-objectdetection
Fore more documentation:
gsutil iam help
回答12:
I faced same issue. I used
gcloud auth login
and follow the link
来源:https://stackoverflow.com/questions/49302859/gsutil-serviceexception-401-anonymous-caller-does-not-have-storage-objects-list