Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

"Access Denied. Provided scope(s) are not authorized" error when trying to make objects public using the REST API

Tags:

rest

google-cloud-platform

google-cloud-storage

google-cloud-iam

I am attempting to set permissions on individual objects in a Google Cloud Storage bucket to make them publicly viewable, following the steps indicated in Google's documentation. When I try to make these requests using our application service account, it fails with HTTP status 403 and the following message:

Access denied. Provided scope(s) are not authorized.

Other requests work fine. When I try to do the same thing but by providing a token for my personal account, the PUT request to the object's ACL works... about 50% of the time (the rest of the time it is a 503 error, which may or may not be related).

Changing the IAM policy for the service account to match mine - it normally has Storage Admin and some other incidental roles - doesn't help, even if I give it the overall Owner IAM role, which is what I have.

Using neither the XML API nor the JSON version makes a difference. That the request sometimes works with my personal credentials indicates to me that the request is not incorrectly formed, but there must be something else I've thus far overlooked. Any ideas?

like image 811
Evan Avatar asked Oct 29 '25 14:10

Evan

2 Answers

When trying to access GCS from a GCE instance and getting this error message ...
the default scope is devstorage.read_only, which prevents all write operations.

Not sure if scope https://www.googleapis.com/auth/cloud-platform is required, when scope https://www.googleapis.com/auth/devstorage.read_only is given by default (eg. to read startup scripts). The scope should rather be: https://www.googleapis.com/auth/devstorage.read_write.

And one can use gcloud beta compute instances set-scopes to edit the scopes of an instance:

gcloud beta compute instances set-scopes $INSTANCE_NAME \
  --project=$PROJECT_ID \
  --zone=$COMPUTE_ZONE \
  --scopes=https://www.googleapis.com/auth/devstorage.read_write \
  --service-account=$SERVICE_ACCOUNT

One can also pass all known alias names for scopes, eg: --scopes=cloud-platform. The command must be run outside of the instance, because of permissions - and the instance must be shutdown, in order to change the service account.

like image 118
Martin Zeitler Avatar answered Oct 31 '25 11:10

Martin Zeitler

Check for the scope of the service account incase you are using the default compute engine service account. By default the scope is restricted and for GCS it is read only. Use rm -r ~/.gsutil to clear cache in case of clearing cache

like image 45
Ambesh Avatar answered Oct 31 '25 10:10

Ambesh

Sign in to Comment

Related questions

How can I get access to http headers in Servant?
Spring boot Rest controller - convert form-encoded body to POJO
Multiple files upload using swagger operation
How to add parameters to java.net.http.HttpClient GET request?
Access the Cosmos DB Table Endpoint using oData
Creating REST api in Databricks which would display delta tables information to the user?
RESTful API Design best practice for request metadata (session id etc)?
If a REST web service call fails, should a message or event queue be used to retry later?
Failed to execute 'setRequestHeader' on 'XMLHttpRequest' [...] is not a valid HTTP header field value
Access Response Status Code in Angular 4 / Express

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!