Recovering access after initially provisioning wrong scopes for an instance
I recently created a VM, but mistakenly gave the default service account Storage: Read Only permissions instead of the intended Read Write under "Identity & API access", so GCS write operations from the VM are now failing.
I realized my mistake, so following the advice in this answer, I stopped the VM, changed the scope to Read Write and started the VM. However, when I SSH in, I'm still getting 403 errors when trying to create buckets.
$ gsutil mb gs://some-random-bucket
Creating gs://some-random-bucket/...
AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform
How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* (projectnum)[email protected]
I will suggest you to try add the scope "cloud-platform" to the instance by running the gcloud command below
gcloud alpha compute instances set-scopes INSTANCE_NAME [--zone=ZONE] [--scopes=[SCOPE,…] [--service-account=SERVICE_ACCOUNT
As a scopes put "https://www.googleapis.com/auth/cloud-platform" since it give Full access to all Google Cloud Platform resources.
Here is gcloud documentation
- How to generate a Blob signed url in Google Cloud Run?
- Google Cloud: Access to image has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Why does getMetadata().size show 20 bytes for an empty file in Google Cloud Storage?
- GCP Cloud Storage - Golang aws sdk2 - Upload file with s3 INTEROPERABILITY Creds
- Data loading and transformation from gcs to bigquery
- Error: error:1E08010C:DECODER routines::unsupported with Google auth library
- Deleting a large folder from Google Cloud Storage
- Error uploading file to google cloud storage
- Move files under multiple sub folders into one folder
- What is the quickest way to delete many blobs from GCS?
- Is it possible to wget / curl protected files from GCS?
- Can appengine files in asia.artifacts.../containers/images be safely deleted?
- Google Cloud Storage request blocked by CORS: not allowed by Access-Control-Allow-Origin
- How to upload a file to Google Cloud Storage on Python 3?
- Facing issues with the WriteObjectRequest for Google Cloud Storage using gRPC in Rust
- How to get list_blobs to behave like gsutil
- Firebase-Storage Access to fetch at '..' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Getting 403 from GCP metadata server
- Permissions For Google Cloud SQL Import Using Service Accounts
- GCP Cloud Run: “missing required GoogleAccessID” when generating V4 Signed URL for Cloud Storage
- Read JSON file directly from google storage (using Cloud Functions)
- Uploading images to Firebase storage returns "Access denied" after some time
- Google Cloud Console "loading" forever
- Google Cloud Storage vs Google Cloud CDN
- Restrict a Load-Balanced Google backend bucket to a specific IP range
- Google Cloud Storage files access policy based on IP Address
- IP Restriction Google Cloud Storage
- Google Storage access based on IP Address
- Is there a way to set up a delete lifecycle rule of less than one day in google cloud storage?
- GCSFUSE mount error of bucket as folder in a compute engine VM