gsutil was working as a stand-alone on my system.
Then I installed SDK, including some authentication stuff.
Now gsutil says my credentials are invalid.
$ gcloud auth login wolfvolpi#gmail.com
WARNING: `gcloud auth login` no longer writes application default credentials.
If you need to use ADC, see:
gcloud auth application-default --help
You are now logged in as [redacted].
Your current project is [redacted]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
$ gsutil ls
Your credentials are invalid. Please run
$ gcloud auth login
How to set my credentials so that gsutil runs again?
$ gcloud version
Google Cloud SDK 146.0.0
core 2017.02.28
core-nix 2017.02.28
gcloud
gcloud-deps 2017.02.28
gcloud-deps-linux-x86_64 2017.02.28
gsutil 4.22
gsutil-nix 4.22
If you previously had gsutil configured with credentials, it is possible that it is picking up those old credentials that will no longer work in the Cloud SDK mode. Take a look in your boto file (typically at ~/.boto) and remove any credentials found in there.
You can see the list of the valid fields in the boto file here: https://cloud.google.com/storage/docs/gsutil/commands/config#additional-configuration-controllable-features
The marked solution did not work sometimes. But You can create a new configure setting by using the
gcloud init
Welcome! This command will take you through the configuration of gcloud.
Settings from your current configuration [old config file's name] are:
core:
account: [account]
disable_usage_reporting: 'True'
project: [projectname]
Pick configuration to use:
[1] Re-initialize this configuration [old config file's name] with new settings
[2] Create a new configuration
[3] Switch to and re-initialize existing configuration: [default]
Please enter your numeric choice:
Then you can use option 2 to create new configuration. Try this will work these who not able to done using the above solution.
Also this will work when someone cannot use gsutil cors set [filename].json gs://[BucketName] command to set CORS.
Then try again.
Related
I'm trying to integrate serverless to my circleci workflow.
I tried first adding both, key and secret to AWS permissions, but that did not work.
Then, I added key and secret to Environment variables and in my config file:
sudo npm install -g serverless
sls config credentials --provider aws --key $AWS_ACCESS_KEY_ID --secret $AWS_SECRET_ACCESS_KEY
sls deploy -v
But I see the same error:
Serverless Error ---------------------------------------
You are not currently logged in. Follow instructions in http://slss.io/run-in-cicd to setup env vars for authentication.
Anyone had this issue? I could not find an answer or hint online. Thanks.
This likely only applies to those trying to use Serverless Enterprise with the monitoring & dashboards they have set up. #wintvelt's answer wouldn't work for me because if i deleted the org variable, it would likely break the connection needed for Enterprise. So steps for my CircleCI setup:
In CircleCI, create a Context for each environment with the AWS Key ID and Secret as environment variables (putting them in a context is a nice to have, you could use other methods of making Circle inject environment variables into builds).
In your Serverless Framework dashboard, create a new access key which you will use in Circle.
Create a new environment variable SERVERLESS_ACCESS_KEY with the value from step 2.
I got this idea from reading how Seed.run has users integrate with Serverless. For more info read this link: https://seed.run/docs/integrating-with-serverless-enterprise.
Just checked Circleci stopped supporting AWS Permissions as a configurable option in the settings page.
You need to set the credentials as environment variables for the projects. The credentials should be named exactly AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
that's all you need to do. you don't have to do any additional step. I tried this on my project and it worked.
Your deployment step should simply be
sls deploy
As a follow-up to the previous answer: I had exactly the same error.
I took the solution from the chat as a solution.
For me the fixes I applied:
In CircleCI project settings, under "AWS permissions" I added the AWS Access Key ID and Secret Access key
In CircleCI project settings, under "Environment variables", I also added the AWS Access Key ID and Secret Access key
From my serverless.yml file, I deleted the line with org variable
For me, 1. and 2. alone was not enough. I also had to remove the line from my yml file to make deployment via CircleCI work.
For those landing here with the same issue, hope this helps!
I have no idea why, but I am running gcloud auth login, I have tried beta and application-default. All of them do not create the file: ~/.config/gcloud/credentials, instead I can find ~/.config/gcloud/legacy_credentials.
The issue I am having is that the library I am using does not want legacy_credentials, and renaming the folder did not work.
Here are my settings:
Google Cloud SDK 183.0.0
alpha 20
17.12.08
beta 2017.12.08
bq 2.0.27
core 2017.12.08
gsutil 4.28
Also I am using Ubuntu 16.04.3 LTS on digitalocean. I will be glad to supply any other information I can think of.
The credentials in the legacy folder contain:
" ============================================================================
" Netrw Directory Listing (netrw v155)
" /root/.config/gcloud/legacy_credentials/matt#mindbrainhive.org
" Sorted by name
" Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$,\.bak$,\~$
" Quick Help: <F1>:help -:go up dir D:delete R:rename s:sort-by x:special
" ==============================================================================
../
./
.boto
adc.json
gcloud no longer uses ~/.config/gcloud/credentials, instead it stores credentials in sqlite3 ~/.config/gcloud/credentials.db.
These credentials files are considered internal to gcloud, they can change at any time. You should not be using them. What you likely want to use is
gcloud auth application-default login
instead of gcloud auth login. The former will create ~/.config/gcloud/application_default_credentials.json key file for user logged in account.
That said depending what you trying to do you probably want use service accounts (instead of user account). You can create the key file via
gcloud iam service-accounts keys create
See documentation for more info. Or you can use Google Cloud Platform Console to create key file.
Once you obtain json key file you can use it in your application as application default credentials, see https://developers.google.com/identity/protocols/application-default-credentials#howtheywork
You can also use this key in gcloud by using gcloud auth activate-service-account command.
I am new with Amazon codecommit.
Following their instruction, I did some works like below
make a new IAM user with AdministratorAccess
make a new codecommit repository
install awscli and did aws configure
When I right finished those things, I could pull/push from codecommit.
However it became disabled with intellij Idea.
I did something like...
I pull a project from gitlab
git remote rm origin
git remote add origin [code commit url]
git branch --set-upstream-to origin/master
Now I type git [pull / push] origin master, I got this error message.
unable to access 'https://git-codecommit.ap-northeast-1.amazonaws.com/v1/repos/test17/': The requested URL returned error: 403
When I access this url via browser, it requires id/pw. But my IAM user account information is not working.
What should I do? Is there any way to switch gitlab and codecommit in intellij?
Thanks.
IntelliJ does not use awscli. It uses the default system shell.
From the description, it looks like push/pull does not work for the command-line git in the native shell, so the issue is not IntelliJ-related.
Probably git tries to use wrong credentials save in its credential.helper, that is why it fails.
Check git config credential.helper to see if any is configured. If there is one, try disabling it or clear the saved credentials.
From the description it looks like you are trying to connect to a CodeCommit repository in Intellij using https. To do this you need to generate GitCredentials(username/password) for your iam user in the IAM console.
Detailed steps are documented in the aws documentation: http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html
Once you have the username/password you can use those credentials to connect to your CodeCommit repository in Intellij.
Tested on a Mac. Your milage may vary!
I just ran into the same issue. MacOS stores the GIT UID and PW in the Keychain (in your Applications > Utilities Folder). I deleted all references to AWS Code Commit from the keychain, which forced me to reenter the UID & PW. This seems to have solve the problem.
As a side note: I think this happened because I revoked a prior GIT credential on AWS and created a new one. I think that the keychain was entering the old UID/PW which then failed during authentication.
First, you are going to want to create an IAM user with appropriate permissions and then create Git credentials. Then go to IntelliJ IDEA and say you are opening project from VCS with Git credentials, use the AWS git credentials you created and log in. Once you have logged in, you should be able to pull/push to the repo. If you are still having issues and have checked the credentials you are using are active, along with the IAM user those credentials are attached to have the right permissions, I would recommend creating a ticket on AWS support as there may be something wrong with your account that AWS staff will need to fix.
I am using gsutil with a service account to download a file from a gs bucket. I ran it once an hour ago and it worked without a problem, and then I ran the same code again and I get an AccessDeniedException: 401 Login Required.
To get more information, I run the command with a -D flag, like:
gsutil -D cp gs://mybucket/file localpath
In the debug output, I look at:
Command being run: /path/to/gsutil
config_file_list: /path/to/boto/config
Case 1: Running gsutil under a service account or as another user
I configured a service account using the executable at /path/to/gsutil, not gcloud auth or any other gsutil executable on the machine, using:
/path/to/gsutil config -e
This created a .boto config file in my home directory, $HOME/.boto, which I then moved to another location to refer to by the service.
Since I'm running the service as another user, I need to reference the newly-created .boto file. I set the environment variable BOTO_CONFIG:
BOTO_CONFIG=/path/to/$HOME/.boto
export BOTO_CONFIG
I can confirm that I am referencing the correct config file by looking at the config_file_list variable in the gsutil -D command's output.
To set up the service account, I followed:
https://console.cloud.google.com/permissions/serviceaccounts
The key file from the service account set-up process was downloaded, and the path to it is included during the gsutil config -e step.
However, the response to running the gsutil command from the service account is AccessDeniedException: 401 Login Required.
Case 2: API Explorer
On further exploration, I used the web-based API explorer storage.objects.get at:
https://developers.google.com/apis-explorer/#p/storage/v1/storage.objects.get
to get the object's "mediaLink". When I click the mediaLink, I still receive a response that says "Login Required", despite being logged into my google account on the browser.
Why am I receiving the above "Login Required" responses in both cases, when I have set up the service account as instructed in Case 1, and am logged into the API explorer in Case 2?
I was able to solve this problem by looking at the read permissions on the .boto file. The file that was created by
gsutil config -e
only had read permissions set for the current user. Since it was being read by a service running as a different user, it wasn't able to read the file and yielding a 401 Login Required error. I fixed it by adding read permissions for the service's group.
In the least sophisticated case, you could fix it by giving any user read permission with
chmod a+r .boto
we had configured standalone gsutil on a remote server, however we do not have access to the server anymore. How do we revoke access provided to gsutil on that server. The .boto file will have the refresh Oauth2.0 token.
we do not have access to the server and so cannot remove .boto file.
The project configured is active in our console but we cannot see any specific access in permissions section.
A standalone gsutil script was installed (not gcloud).
Use gcloud auth revoke.
https://cloud.google.com/sdk/gcloud/reference/auth/revoke
The .gsutil directory just gets recreated within 10 seconds for me.
OK we can revoke access to gsutil from account permissions through this link:
https://security.google.com/settings/security/permissions
screenshot for Google Security Permissions Page
Just remove credstore files.
rm -rf ~/.gsutil/