google-cloud-platformgoogle-cloud-storagecloudmountgcsfuse

GCSFuse Provided scope(s) are not authroized error

I am using gcsfuse with public access Google Cloud Storage.

When i try to mount storage with command(gcsfuse -o allow_other --implicit-dirs bucket-name /mnt/my_directory), i can see below messages.

2021/10/22 09:08:46.859250 Using mount point: /mnt/my_directory
2021/10/22 09:08:46.876966 Opening GCS connection...
2021/10/22 09:08:47.408667 Mounting file system "bucket-name"...
2021/10/22 09:08:47.410248 File system has been successfully mounted.

But after that, when i try to store my file in mounted directory, there was an error like below.

 [ERROR] Error executing an HTTP request: HTTP response code 403 with body '{
  "error": {
    "code": 403,
    "message": "Provided scope(s) are not authorized",
    "errors": [
      {
        "message": "Provided scope(s) are not authorized",
        "domain": "global",
        "reason": "forbidden"
      }
    ]
  }
}
'
     when initiating an upload to gs://my_bucket/static/dir/1211/53714/

How can i fix this problem? It worked fine until 3 days ago, but suddenly it didn't work, so I'm embarrassed.

Solution

  • This error might be caused by the allow_other command. It is used to override the access permissions of FUSE.

    As a security measure, fuse itself restricts file system access to the user who mounted the file system (cf. fuse.txt). For this reason, gcsfuse by default shows all files as owned by the invoking user. Therefore, you should invoke gcsfuse as the user that will be using the file system, not as the root.

    If you know what you are doing, you can override these behaviors with the allow_other mount option supported by fuse and with the --uid and --gid flags supported by gcsfuse. Be careful, this may have security implications!

    If you read the description of the command you will find:

    allow_other

    This option overrides the security measure restricting file access to the user mounting the filesystem. This option is by default only allowed to the root, but this restriction can be removed with a (userspace) configuration option.

    I think you are getting an out of scope message either because you have not specified the --uid (user id) and the --gid (group id) flags along with the allow_other command or because you have not set up a userspace yet to properly override root permissions with this command If you do not need to use root access, I would simply remove this part of the command and try again.

    Another possible cause I found in a question related to the error 403 was that the bucket or the objects inside of it did not have the correct Access Control system. You mentioned you are using public access Google Cloud Storage, but please consider that your bucket might not have the correct access permissions as well.