1

We are just trying to use gsutil from the command line to download some DCM data from the Google Cloud Platform:

gsutil -m cp -R gs://dcdt_-dcm_account75701/dcm_account75701_activity_201803* C:\Users\[omissis]\Desktop\ImprData

We are getting the error below, looks like an access issue, but we have made sure that all the correct access has been given in the cloud console.

AccessDeniedException: 403 [omissis] does not have storage.objects.list access to dcdt_-dcm_account75701. 
CommandException: 1 file/object could not be transferred

Does anyone know what this might be?

Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29
Matt
  • 11
  • 1
  • 2
  • 1
    please don't screenshot text-only error msgs, cut&paste them, it makes it easier for others to find your question – Luca Gibelli Mar 27 '18 at 10:22

1 Answers1

1

It looks like you are copying multiple objects using a wildcard: 

dcm_account75701_activity_201803*

For this to work, you need to grant your user also the storage.objects.list privilege, not just the storage.objects.get privilege.

To verify this is the case, replace dcm_account75701_activity_201803* with the full name of one of the objects in the dcdt_-dcm_account75701 bucket.

EDIT: notice that storage.buckets.list and storage.objects.list are two distinct privileges. The former allows you to list all buckets belonging to your project, the latter (which you are missing) allows you to list the objects inside the bucket.

According to the user guide:

https://cloud.google.com/storage/docs/access-control/iam-roles

being an Owner grants you the storage.buckets.* privileges, not the storage.objects.* privileges. You might want to grant the storage.objectAdmin role to your user.

Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29