Po Stevanus

    Po Stevanus

    1 year ago
    Hi Guys, i hope this is the correct place to ask this question. I have an error when running my flow and this is my error message
    Failed to load and execute Flow's environment: Forbidden('GET <https://storage.googleapis.com/storage/v1/b/bonza-dev-files?projection=noAcl&prettyPrint=false>: Caller does not have storage.buckets.get access to the Google Cloud Storage bucket.')
    Background: • Agent: Kubernetes Autopilot • Storage: Google Cloud Storage What i’ve done:1. I have prepare a service account with
    Storage.Admin
    role, i called it
    OLYMPUS_DEV_SA
    2. When declaring the storage i have mention this
    storage = GCS(bucket="bonza-dev-files", project="bonza-dev", secrets=["OLYMPUS_DEV_SA"])
    If it helps, i’ve attach the code to this thread Is there a way to debug this? 🙇
    import time
    import random
    import prefect
    from prefect import task, Flow
    
    from prefect.storage import GCS
    from prefect.run_configs import KubernetesRun
    
    
    @task
    def sleep():
        t = random.randint(30,60)
        logger = prefect.context.get("logger")
        <http://logger.info|logger.info>("Sleeping for {} seconds -- START".format(t))
        time.sleep(t)
        <http://logger.info|logger.info>("Sleeping for {} seconds -- FINISH".format(t))
    
    flow_name = "po-k8s-flow-deploy-from-local"
    storage = GCS(bucket="bonza-dev-files", project="bonza-dev", secrets=["OLYMPUS_DEV_SA"])
    run_config = KubernetesRun(cpu_limit=0.5, memory_limit="1G", labels=["client_po"])
    
    with Flow(
        flow_name,
        run_config=run_config,
        storage=storage
    ) as flow:
        sleep1 = sleep()
        sleep2 = sleep()
        sleep3 = sleep()
    
        sleep3.set_upstream(sleep2)
        sleep3.set_upstream(sleep1)
    
    flow.register(project_name="po-test")
    m

    Mariia Kerimova

    1 year ago
    Hello 👋 As I remember, you need to grant
    Storage Object Admin
    role, instead of storage admin, then it should work (after you update secret with new service account key).