原因

打算從 instance 打包 logs 到 google cloud storage 發生了 AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation., 看起來是 instance 沒有 storage 權限

解決

Reference:

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

重新設定 service account 權限

instance 上內建有 gcloud, 就直接用現有的工具查詢一下 instance 的 account.

$ gsutil info 

或者在本機直接

gcloud compute instances describe INSTANCE_NAMES

Account: [alpha-number-compute@developer.gserviceaccount.com]
Project: [our-project-name]

會看到 instance 的一些狀態, 接下來就簡單多了, 按照下列的說明, 要先 stop instance, 更改 storage scope 再重新 start。

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.

# Stop Instance
gcloud compute instances stop INSTANCE_NAMES
# 設定 storage scope 為 full (Read, Write)
gcloud compute instances set-service-account INSTANCE_NAMES \
     --service-account alpha-number-compute@developer.gserviceaccount.com \
     --scopes storage-rw
# Start Instance
gcloud compute instances start INSTANCE_NAMES
# 再看一下有沒有設定成功
gcloud compute instances describe INSTANCE_NAMES

如果有多個 scope 要設定, 用 "," 分隔

gcloud compute instances set-service-account INSTANCE_NAMES \
     --service-account alpha-number-compute@developer.gserviceaccount.com \
     --scopes compute-rw,storage-rw

Scopes 參照表

default
    Scopes assigned to instances by default:
    - https://www.googleapis.com/auth/cloud.useraccounts.readonly
    - https://www.googleapis.com/auth/devstorage.read_only
    - https://www.googleapis.com/auth/logging.write
    - https://www.googleapis.com/auth/monitoring.write
    - https://www.googleapis.com/auth/pubsub
    - https://www.googleapis.com/auth/service.management.readonly
    - https://www.googleapis.com/auth/servicecontrol
    - https://www.googleapis.com/auth/trace.append
bigquery
    - https://www.googleapis.com/auth/bigquery
cloud-platform
    - https://www.googleapis.com/auth/cloud-platform
compute-ro
    - https://www.googleapis.com/auth/compute.readonly
compute-rw
    - https://www.googleapis.com/auth/compute
datastore
    - https://www.googleapis.com/auth/datastore
logging-write
    - https://www.googleapis.com/auth/logging.write
monitoring
    - https://www.googleapis.com/auth/monitoring
monitoring-write
    - https://www.googleapis.com/auth/monitoring.write
service-control
    - https://www.googleapis.com/auth/servicecontrol
service-management
    - https://www.googleapis.com/auth/service.management.readonly
sql-admin
    - https://www.googleapis.com/auth/sqlservice.admin
storage-full
    - https://www.googleapis.com/auth/devstorage.full_control
storage-ro
    - https://www.googleapis.com/auth/devstorage.read_only
storage-rw
    - https://www.googleapis.com/auth/devstorage.read_write
taskqueue
    - https://www.googleapis.com/auth/taskqueue
useraccounts-ro
    - https://www.googleapis.com/auth/cloud.useraccounts.readonly
useraccounts-rw
    - https://www.googleapis.com/auth/cloud.useraccounts
userinfo-email
    - https://www.googleapis.com/auth/userinfo.email