gsutil cp: AccessDeniedException: 403 and unable to edit Bucket permissisons

Post author
Terrance Shea

In trying a gsutil cp command to get a local copy of some output from Terra Workflow in a Google Bucket I run into the error "AccessDeniedException: 403 tshea@broadinstitute.org does not have storage.buckets.getIamPolicy access to the Google Cloud Storage bucket."  I thought that I could simply edit the Permissions on the Bucket by adding the appropriate service account but I am unable to do so ("You need permissions for this action.  Required permission(s): storage.buckets.setIamPolicy").  I am the owner of the workspace ( see image below ) and I have confirmed that when with gcloud auth list that it is this same tshea @ broadinstitute credentialed account that is active when trying the gsutil cp command.  I am stumped on how I could be the owner of this Workspace and the user that launched the Workflow creating this Google Bucket that I would then not be able to access output via gsutil .  I appreciate any guidance you may have on how I can get permissisons set to download some data from this Workflow output.  Thank you.

Comments

5 comments

  • Comment author
    Samantha (she/her)

    Hi Terrance Shea,

     

    Thanks for writing in. Are you able to navigate to the bucket/file and view it in the Google Cloud Storage Browser? 

    If you are able, can you share the workspace where you are seeing this issue with GROUP_FireCloud-Support@firecloud.org by clicking the Share button in your workspace, and also add my email (svelasqu@broadinstitute.org) to the broad-bacterial authorization domain so I can access the workspace?

     

    Best,
    Samantha

    0
  • Comment author
    Terrance Shea

    Hi-

    Thank you for the quick response.  I have shared the Workspace and added you as a user to the broad-bacterial group.  And yes I am able to navigate the Bucket and view the files in the Bucket, and even able to download using the button on far right of screen shot below: 

     

    Please let me know if there is any other info I can provide to assist.

     

    Thank you.

    Terrance

    0
  • Comment author
    Samantha (she/her)

    Hi Terrance Shea,

     

    Can you let us know the workspace name or share a link to the workspace?

    Also, just to confirm, is the error you are getting when running the gsutil cp command: AccessDeniedException: 403 tshea@broadinstitute.org does not have storage.buckets.getIamPolicy access to the Google Cloud Storage bucket.? Can you share the full command you are running when you receive this error? It seems to be in response to a different command. You shouldn't have access to change any permissions on your workspace's underlying GCS bucket so that error message is expected, but you should already have access to download any of it's contents using gsutil cp.

     

    Best,

    Samantha

    0
  • Comment author
    Terrance Shea

    Hi Samantha-

     

    Thank you for your help.  I am not sure exactly which change I did to get this to now work (as I have been doing some trial and error with setting to different accounts (gcloud config set account ) and changing projects ( gcloud config set project) but I am now able to successfully run gsutil cp (and gsutil rsync).  For example this command now proceeds without error gsutil cp gs://fc-secure-57e2b775-b88c-47a8-ab24-842cc0547a81/8e19cc0a-cfc1-4f6c-9982-36bc597d58cb/workflowAssembly/ac894dea-797b-4cae-ae58-63eaafdfebb8/call-asm_metrics/shard-0/112231_D0.asm_metrics.txt .

     

    Thank you again for looking into this. I think this may now be marked as resolved.

     

     

    0
  • Comment author
    Samantha (she/her)

    Hi Terrance Shea,

     

    Glad to hear you were able to resolve the issue. If you need assistance with anything else, please don't hesitate to reach out.

     

    Best,

    Samantha

    0

Please sign in to leave a comment.