I have looked at posts with similar issues, telling me to update API permissions, which I have:
I have also granted permission to the service agent in my Google Cloud storage bucket:
I have tried starting/restarting the instance multiple times with the changed settings and it is never working. It keeps giving me access denied:
The GCS and the GCE VM are both under the same project, and I am able to copy from it just fine.
Does anyone have another fix for this? I am still new to Google Cloud so further instructions/clarifications would also be helpful!
One quick fix I was able to find was to manually run
gcloud auth login
in SSH, and then follow the instructions to log in with your Google Account to get access to all permissions. Then, you will get write access. However, this solution does not fix the instance's permissions.
Access scopes are not permissions. You need both the appropriate access scope(s) AND the appropriate permission(s) in order to allow the instance's attached service account to do the specified operation. It looks like you have the necessary scope granted, so now you'll need to grant the appropriate permissions to the GCE service account your instance is using (note that this is not the same as the service agent mentioned in your question). This is explained in these docs.
I'm assuming you're using the default GCE service account for this instance. According to the docs, that service account should look like PROJECT_NUMBER-compute@developer.gserviceaccount.com
. The service account attached to this instance is the one you'll need to grant storage writer permission to.