Closed raviprakash007 closed 1 month ago
Thanks for reaching out @raviprakash007 !
This error comes when the service account/user used in GCSFuse for authentication with GCS doesn't have storgage.object.Update permissions. However, as you mentioned you already have set storage admin role which should have update permissions (is it possible that the role was changed by any other application/process in your project when the file was being created ?).
Unfortunately, we were not able to reproduce the issue. Is this issue always reproducible on your side ? If yes, then we would need more information in order to debug this further, so we request you to reach out via support channel where we can request more information from you.
No other applications use the Bucket. This is reproducible on all VM instances we have in GCP. For re-verification, I can launch a new instance and check it again with a new GCS bucket and new service account mounted with VM.
However, for other existing VMs, I have tested the scenario with the root user ( mouting with uid=0, gid=0) and even root user was also facing the same permission denied issue, while the file was being created.
In all cases, Vi editor works without any issues and no permission issue is there
For re-verification, I can launch a new instance and check it again with a new GCS bucket and new service account mounted with VM.
Sure, if you are using default service account, then we suggest to check this option to allow propagation of the storage admin permission granted to the default service account:
In all cases, Vi editor works without any issues and no permission issue is ther
This happens because in case of Vi, the mtime is updated before the newly created file is sync'ed (Sync/Flush file call) to GCS, hence the mtime is updated locally. However in case of touch, the mtime is updated after Sync/Flush file call which requires updating the backing object in GCS and if the service account/user doesn't have storage object update permission, then this update fails. In short, there is a different in working of Vi and touch applications but the permission error in touch suggests that the service account/user being used doesn't have storage.object.Update permissions.
Let me check this on a new VM
[webmaster@instance-20240814-141453 storage]$ sudo touch a.txt [webmaster@instance-20240814-141453 storage]$ touch b.txt [webmaster@instance-20240814-141453 storage]$ ls -ltr . .. a.txt b.txt
Its working with Full access given to default sevice account.
Thank you @raviprakash007 for confirming. Closing this issue. Please re-open or create one if you face any other issues.
The issue I am trying to create files from running application and even manually to the mounted GCS Bucket. It works with vi editor but not with touch command. The file is created but the error is always coming as permission denied.
System & Version
Steps to reproduce the behavior with following information:
mount command: $ sudo gcsfuse --implicit-dirs --uid=1001 --gid=1002 --dir-mode 777 --file-mode 777 -o rw -o allow_other -o sync --foreground --debug_fuse --debug_fs --debug_gcs --debug_http bucket_number_10121 /mnt/cloud-storage
In second console $ cd /mnt/cloud-storage/audio <-- audio folder was already there $ sudo touch file.txt touch: setting times of 'file.txt': Permission denied
Additional context Fuse Logs:
The default Service Account is already having Storage Admin Role.