Search code examples
google-cloud-platformgoogle-cloud-storagebucket

Whoami doesn't change in GCP after I run gcloud auth login

I am learning GCP and have the following question in regarding copying object into a bucket.

In Cloudshell I ran gsutil cp earthquakes.* gs://welynx-test1 and errored out:

Copying file://earthquakes.csv [Content-Type=text/csv]...
AccessDeniedException: 403 Insufficient Permission

I am logged in via SSH already so I checked the identity with whoami

xenonxie@instance-1:~/training-data-analyst/CPB100/lab2b$ whoami
xenonxie

And then I proceeded with editing the bucket's permission:

enter image description here

I added an email address to the Storage Admin member.

I then run gcloud auth login, and was prompted a link and clicking on the link takes me to browser where I log in with an email address, and then I will get a verification code to paste back to SSH window, and then became logged in as that email user:

You are now logged in as [xenonxie @ gmail.com]. Your current project is [rock-perception-263016]. You can change this setting by running: $ gcloud config set project PROJECT_ID

Question1: What I don't understand is: I still see the same whoami as below:

xenonxie@instance-1:~/training-data-analyst/CPB100/lab2b$ whoami
xenonxie

Because I added the email in bucket permission as Storage Admin, I am able to save object into that bucket.

Question2:

I believe it is not needed to be Storage Admin, all I want is to write an object into that bucket. What is the best practice to do that?

Thank you very much.

Solution

  • Question 1": You see the same whoami because that command is ran on the instance's shell so it is answering the session on instance-1.

    Question 2: Yes, you are right. If you are using the principle of least privilege as Storage admin is a role with more privileges than needed is not the best option.

    As the use case you describe is only to write on the bucket you can use storage.objectCreator or roles/storage.legacyBucketWriter depending if you need to navigate in the bucket or don't.

    To get more details about the roles available you can check this page

    EDIT

    To see the Google Cloud Platform Account being used you can use gcloud auth list and under you will get a list of accounts and one will be marked as active. The one marked as active is the one being used.