I try copying a file to Google Cloud Storage using the command
gsutil cp access.log gs://XXX
and I get
Copying file://access.log [Content-Type=application/octet-stream]...
AccessDeniedException: 403 Access denied.
I would like to know who is the principle who got "access denied". Was it my OS user or the compute engine service account? How can I find this out? The Log Explorer does not seem to know of an "access denied".
As per GCP Official doc on Limit service account privileges;
Service accounts are principals and can be granted access to a resource like a regular user account. However, service accounts often have greater access to more resources than a typical user.
By default your machine should have READ access to the buckets in the same project, but configuration is required before you can write to them.
Set proper Access scopes to resolve the error AccessDeniedException: 403 Access denied as per the below steps:
Navigate to console.cloud.google.com >> select your project from the drop down menu >> select your VM and click STOP in the top menu bar.
Once your VM has been stopped, click on its name and then EDIT in the top menu bar.
Scroll down until you see a header called Access Scopes, which will likely be on the Allow default access selection.
Select Set access for each API as your option, then scroll down until you see Storage, which is likely set on READ: change it to READ/WRITE, or whatever you feel is necessary for your use case.
Save your changes and restart your VM.
Refer to Changing the service account and access scopes for an instance for more information.