Java Storage test fails with 403 Forbidden error message. #3594
Comments
|
@frankyn I believe you are the expert on this. Could you take a look? Please let me know if I should bug someone else :) |
|
@suhasm21 getService and CMEK for GCS have hardcoded values here. When you are running tests you'd need to update these values with a GCS managed serviceAccount for the project and two KMS keys. Hardcoded values are too brittle in this case. One action item would be to move these hardcoded values that are project dependent to an environment variable so they can be set before being ran. There's additional to setup is required to use KMS key with GCS to encrypt/decrypt objects. |
|
Thanks for the update. A similar issue was reported in Python Storage system test. It was fixed by making the test to be more generic and use values set in the environment variable (As mentioned in your comment). Would really appreciate if thats done. |
|
I'll pick up the fix. |
yihanzhen
added
type: bug
URL: https://github.com/GoogleCloudPlatform/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage
Steps:
1 . cd google-cloud-java/google-cloud-clients/google-cloud-storage
2. Set JSON key file path to GOOGLE_APPLICATION_CREDENTIALS
3. mvn verify
RESULT:
T E S T S
Running com.google.cloud.storage.it.ITStorageTest
caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException:
403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
"reason" : "forbidden"
} ],
"message" : "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key."
}
Results :
Failed tests:
ITStorageTest.testGetServiceAccount:1923 expected:<[gcloud-devel]@gs-project-accounts...> but was:<[service-725184503843]@gs-project-accounts...>
Tests in error:
ITStorageTest.testCreateBlobWithDefaultKmsKeyName:276 » Storage Permission den...
ITStorageTest.testCreateBlobWithKmsKeyName:243 » Storage Permission denied on ...
ITStorageTest.testGetBlobKmsKeyNameField:378 » Storage Permission denied on Cl...
ITStorageTest.testListBlobsKmsKeySelectedFields:482 » Storage Permission denie...
ITStorageTest.testRotateFromCustomerEncryptionToKmsKey:987 » Storage Permissio...
Tests run: 76, Failures: 1, Errors: 5, Skipped: 0
Please refer attached doc for command output
JavaStorageFailures.docx
It looks like the test is using some default service account and not using the service account set as part of GOOGLE_APPLICATION_CREDENTIALS
The text was updated successfully, but these errors were encountered: