Need Help?

Search our documentation and community forum

Terra is a cloud-native platform for biomedical researchers to access data, run analysis tools, and collaborate.
Terra powers important scientific projects like FireCloud, AnVIL, DataSTAGE. Learn more.

gsutil cp from FC Buckets to Google VM

Answered
Follow
Avatar
Tim Wood

Hi,

I am in the process of spinning up my own Google VMs via the compute engine, and need to localize files onto them. When I try to run "gsutil cp" command, it complains of a permissions error:

 

AccessDeniedException: 403 173715694639-compute@developer.gserviceaccount.com does not have storage.objects.list access to fc-secure-d3d4bb1a-7835-45ba-959b-b7bc0042bda5.

 

How can I add each VM to have storage.objects.list access? I am an owner of the workspace, yet when I go to the "Permissions" tab of the bucket, it says I need to be added as a "IAM Storage Admin". I am looking to construct ~100 VM instances and would like a relatively easy way to add these instances to the permissions list.

 

Thanks

1

Comments

4 comments

Sort by Date Votes
  • Avatar
    Bhanu Gandham

    Hi Tim, 

     

    Sorry about the inconvenience. Our dev team is looking into it. Would you please share with us your billing project and workspace name?

    0
    Comment actions Permalink
  • Avatar
    Tim Wood
    • Edited

    Billing project on Google cloud client: ld-shipp-dfci-4740a0

     

    Workspace name: shipp-dfci/Staudt_bams

     

    Now, unfortunately I'm not 100% sure about how FC interacts with gcloud, but it was my impression that the billing account listed above was also the billing account associated with the workspace. If that's not true, I can see how the permissions error would exist. But, otherwise, it seems intuitive that any VM instance created under a billing account X should have permissions to any FC workspace created under billing account X. This would inevitably have to be something on the FC backend (I think), because the VM created by Google should be just a complete fresh install of some Linux distro. I.e., there aren't any SSH keys on the system. Does that make sense? I guess stated in another way, the VM probably doesn't have any idea of the existence of the FC workspace, but the FC workspace should have an idea of the existence of such VMs.

     

    As it stands, my current solution was to manually type "gcloud auth login" and manually log in to every VM I created. So that being said, the problem is technically "solved", but it took roughly an hour to bang out.

     

    Thanks for the help!

    0
    Comment actions Permalink
  • Avatar
    Beri Shifaw

    Hi Tim,

    How do you plan on creating your 100 Google VMs? When creating your VMs you could select a specific account for the VM to use such as your Terra/Firecloud proxy group which should give you access to your workspace buckets. Setting the specific account is mentioned here.

    0
    Comment actions Permalink
  • Avatar
    Tim Wood

    Via the Google compute engine, manually, with templates.

     

    Thanks, I think that second link is exactly what I needed.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk