跳到主要內容

Google Compute Engine‎ - AccessDeniedExceptions 403

原因

打算從 instance 打包 logs 到 google cloud storage 發生了 AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation., 看起來是 instance 沒有 storage 權限

解決

Reference:

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

重新設定 service account 權限

instance 上內建有 gcloud, 就直接用現有的工具查詢一下 instance 的 account.

$ gsutil info 

或者在本機直接

gcloud compute instances describe INSTANCE_NAMES
Account: [alpha-number-compute@developer.gserviceaccount.com]
Project: [our-project-name]

會看到 instance 的一些狀態, 接下來就簡單多了, 按照下列的說明, 要先 stop instance, 更改 storage scope 再重新 start

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.
# Stop Instance
gcloud compute instances stop INSTANCE_NAMES
# 設定 storage scope 為 full (Read, Write)
gcloud compute instances set-service-account INSTANCE_NAMES \
     --service-account alpha-number-compute@developer.gserviceaccount.com \
     --scopes storage-rw
# Start Instance
gcloud compute instances start INSTANCE_NAMES
# 再看一下有沒有設定成功
gcloud compute instances describe INSTANCE_NAMES

如果有多個 scope 要設定, 用 "," 分隔

gcloud compute instances set-service-account INSTANCE_NAMES \
     --service-account alpha-number-compute@developer.gserviceaccount.com \
     --scopes compute-rw,storage-rw

Scopes 參照表

default
    Scopes assigned to instances by default:
    - https://www.googleapis.com/auth/cloud.useraccounts.readonly
    - https://www.googleapis.com/auth/devstorage.read_only
    - https://www.googleapis.com/auth/logging.write
    - https://www.googleapis.com/auth/monitoring.write
    - https://www.googleapis.com/auth/pubsub
    - https://www.googleapis.com/auth/service.management.readonly
    - https://www.googleapis.com/auth/servicecontrol
    - https://www.googleapis.com/auth/trace.append
bigquery
    - https://www.googleapis.com/auth/bigquery
cloud-platform
    - https://www.googleapis.com/auth/cloud-platform
compute-ro
    - https://www.googleapis.com/auth/compute.readonly
compute-rw
    - https://www.googleapis.com/auth/compute
datastore
    - https://www.googleapis.com/auth/datastore
logging-write
    - https://www.googleapis.com/auth/logging.write
monitoring
    - https://www.googleapis.com/auth/monitoring
monitoring-write
    - https://www.googleapis.com/auth/monitoring.write
service-control
    - https://www.googleapis.com/auth/servicecontrol
service-management
    - https://www.googleapis.com/auth/service.management.readonly
sql-admin
    - https://www.googleapis.com/auth/sqlservice.admin
storage-full
    - https://www.googleapis.com/auth/devstorage.full_control
storage-ro
    - https://www.googleapis.com/auth/devstorage.read_only
storage-rw
    - https://www.googleapis.com/auth/devstorage.read_write
taskqueue
    - https://www.googleapis.com/auth/taskqueue
useraccounts-ro
    - https://www.googleapis.com/auth/cloud.useraccounts.readonly
useraccounts-rw
    - https://www.googleapis.com/auth/cloud.useraccounts
userinfo-email
    - https://www.googleapis.com/auth/userinfo.email

留言

這個網誌中的熱門文章

Parse URI query string to Key Value

Parse URI query String to Map 做 urlDecode 處理 沒有任何 query String 回傳 Empty Map 確保只處理 key-value 結構的 query String package com.example.util; import lombok.extern.slf4j.Slf4j; import org.apache.http.client.utils.URIBuilder; import java.io.UnsupportedEncodingException; import java.net.URI; import java.net.URISyntaxException; import java.net.URLDecoder; import java.util.LinkedHashMap; import java.util.Map; import java.util.Objects; /** * Created by jerry on 2017/12/28. * * @author jerry */ @Slf4j public class UriUtil { private UriUtil() { } public static Map splitQuery(final String uri) { Map queryPairs = new LinkedHashMap (); try { final URI uri = new URIBuilder(uri).build(); final String rawQuery = uri.getRawQuery(); log.info("CurrentUrl Query: {}", rawQuery); // 過濾沒有 query string // 還有過濾無法成對 keyValue 的 query, e.g. http://host/path?123 if (Objects.isNull(rawQuery) |...

Spring-boot Thymeleaf Html5 SAXParseException 解析錯誤

thymeleaf 解析 html5 出錯 <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <title>SB Admin - Start Bootstrap Template</title> <!-- Bootstrap core CSS--> <link href="../static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet"> <!-- Custom fonts for this template--> <link href="../static/vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css"> <!-- Page level plugin CSS--> <link href="../static/vendor/datatables/dataTables.bootstrap4.css" rel="stylesheet"> <!-- Custom styles for this template--> <li...