I'm trying to upload a file from a Google Cloud VM into a cloud storage bucket.
Expectedly it fails because the service account associated with the VM doesn't have permissions:
$ gsutil cp file.png gs://bucket/
Copying file://file.png [Content-Type=image/png]...
AccessDeniedException: 403 Insufficient Permission
From what I understand there are two ways to fix this:
However, it seems that both solutions require the VM to be stopped, which is problematic as it is a production server.
Is there any way to fix this without stopping the VM?
There are two methods of controlling permissions granted to a Compute Engine VM.
Both of these methods work together. The total permissions available to a Compute Engine instance is controlled by the service account. Access Scopes then limit the permissions assigned to the VM.
You must shutdown a VM to change the Access Scopes. Changing the service account roles does not require rebooting the VM.
For this question regarding Cloud Storage Access:
If the service account has a Cloud Storage role granting access to cloud storage but the Access Scope for Storage is set to None, then the VM will not have access to Cloud Storage even though the service account has the required role. In this case you must shutdown the VM to change the Access Scope to enable access to Cloud Storage.
If the VM Access Scope has Storage enabled, but the service account does not have a Cloud Storage role, the VM will not be able to access Cloud Storage. In this case, adding a Cloud Storage role to the service account will grant access to Cloud Storage without requiring a VM reboot.
Access Scopes (OAuth Scopes) are a legacy mechanism that existed prior to Google Cloud IAM. Given that you are using this VM in a production environment and shutting down the instance is not desired, I recommend the following: