Gcloud Compute Copy-Files': Permission Denied When Copying Files

`gcloud compute copy-files`: permission denied when copying files

insert root@ before the instance name:

local:$ gcloud compute copy-files /Users/Bryan/Documents/Websites/gce/index.php root@example-instance:/var/www/html --zone us-central1-a

gcloud compute scp - permission denied error

It turned out that I already had identically named file at destination. This caused the error. But Patrick W comment is very helpful

Google cloud scp permission denied

The command line should be 

scp -r -i ~/.ssh/my-keygen /path/to/directory/ [USERNAME]@[IP]:/var/www/html/

Assuming your files are in the local /path/to/directory/ and the /var/www/html/ is on the remote server.

The permissions does not allow to write in the /var/www/html/. Writing to /tmp/ should work. Then you can copy the files with sudo to the desired destination with root privileges.

gsutil copy returning AccessDeniedException: 403 Insufficient Permission from GCE

One other thing to look for is to make sure you set up the appropriate scopes when creating the GCE VM. Even if a VM has a service account attached, it must be assigned devstorage scopes in order to access GCS.

For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

See the section on Preparing an instance to use service accounts for details.

Note: the default compute service account has very limited scopes (including having read-only to GCS). This is done because the default service account has Project Editor IAM permissions. If you use any user service account this is not typically a problem since user created service accounts get all scope access by default.

After adding necessary scopes to the VM, gsutil may still be using cached credentials which don't have the new scopes. Delete ~/.gsutil before trying the gsutil commands again. (Thanks to @mndrix for pointing this out in the comments.)

AccessDeniedException: 403 when trying to copy file to Google Storage from VM using gsutil

It looks like the account you're using to attempt this copy doesn't have permission to write an object to the bucket-name bucket.

If you're doing this on a GCE VM and using its default service account, make sure that you selected the correct access scopes when creating the VM -- the default scopes include read-only access to GCS. You can check this by logging into the VM and using curl to query the GCE metadata server:

$ curl -H 'Metadata-Flavor: Google' "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes"
[...]
https://www.googleapis.com/auth/devstorage.read_only
[...]

ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1]


Reason of the message:

This message means that the network connection from the client to the server is working, and that SSH is running. However, key-based authenticatication failed.

Troubleshooting steps:

  • Make sure that you have authenticated to gcloud as an IAM user with the compute instance admin role.

run gcloud auth login [IAM-USER] then try gcloud compute ssh again.

  • Verify that persistent SSH Keys metadata for gcloud is set for either the project or instance.

gcloud compute project-info describe --format flattened | grep
commonInstanceMetadata.items | grep ssh | grep -v expireOn

  • It's possible that you lost the private key, mismatched a keypair, etc. You can force gcloud to generate a new SSH keypair by doing the following:

  1. If present, by moving ~/.ssh/google_compute_engine and ~/.ssh/google_compute_engine.pub. For example:

    mv ~/.ssh/google_compute_engine.pub ~/.ssh/google_compute_engine.pub.old

    mv ~/.ssh/google_compute_engine ~/.ssh/google_compute_engine.old

  2. Try gcloud compute ssh [INSTANCE-NAME] again. A new keypair will be created and the public key will be added to the SSH keys metadata.

  • Verify that the Linux Guest Environment scripts are installed and
    running. If the Linux Guest
    Environment is not installed, re-install it.

Related Topics

Converting Serial Port Data to Tcp/Ip in a Linux Environment

Removing Part of a Filename for Multiple Files on Linux

Start Script After Another One (Already Running) Finishes

How to Get the Resolution (Width and Height) for a Video File from a Linux Command Line

How to Convert \Uxxxx Unicode to Utf-8 Using Console Tools in *Nix

Colour Highlighting Output Based on Regex in Shell

Error_Log Per Virtual Host

Docker in Docker Cannot Mount Volume

Check the Open Fd Limit for a Given Process in Linux

How to Get a List of Available Wireless Networks on Linux

Count Lines in Large Files

Perf_Event_Open - How to Monitoring Multiple Events

What Are the Real Rules for Linux Usernames on Centos 6 and Rhel 6

How Does Pthread Implemented in Linux Kernel 3.2

Explaining the 'Find -Mtime' Command

How to Fix Conda Update Conda Permission Error

What Is an Anonymous Inode in Linux

Why Doesn't "Sort File1 > File1" Work


Leave a reply



Submit