Failed with 403: Forbidden google drive upload

This folio describes troubleshooting methods for common errors you may encounter while using Cloud Storage.

Run into the Google Cloud Status Dashboard for data about regional or global incidents affecting Google Cloud services such as Cloud Storage.

Logging raw requests

When using tools such as gsutil or the Deject Storage client libraries, much of the request and response information is handled past the tool. However, it is sometimes useful to meet details to aid in troubleshooting. Use the following instructions to return request and response headers for your tool:

Console

Viewing request and response data depends on the browser you're using to access the Google Cloud Panel. For the Google Chrome browser:

1. Click Chrome's chief card button ().

2. Select More Tools.

3. Click Programmer Tools.

4. In the pane that appears, click the Network tab.

gsutil

Use the global -D flag in your request. For instance:

gsutil -D ls gs://my-bucket/my-object

Customer libraries

C++

• Fix the environment variable CLOUD_STORAGE_ENABLE_TRACING=http to get the full HTTP traffic.

• Set the environment variable CLOUD_STORAGE_ENABLE_CLOG=yes to go logging of each RPC.

C#

Add a logger via ApplicationContext.RegisterLogger, and set up logging options on the HttpClient bulletin handler. For more data, see the FAQ entry.

Get

Set the environment variable GODEBUG=http2debug=1. For more data, see the Go parcel net/http.

If y'all want to log the asking body likewise, use a custom HTTP client.

Java

1. Create a file named "logging.properties" with the following contents:

   # Properties file which configures the performance of the JDK logging facility. # The system will look for this config file to exist specified as a system property: # -Djava.util.logging.config.file=${project_loc:googleplus-simple-cmdline-sample}/logging.properties  # Ready the console handler (uncomment "level" to show more fine-grained messages) handlers = java.util.logging.ConsoleHandler java.util.logging.ConsoleHandler.level = CONFIG  # Set upwardly logging of HTTP requests and responses (uncomment "level" to show) com.google.api.client.http.level = CONFIG

2. Use logging.properties with Maven

   mvn -Djava.util.logging.config.file=path/to/logging.backdrop                      insert_command                    

For more information, see Pluggable HTTP Transport.

Node.js

Set the environment variable NODE_DEBUG=https before calling the Node script.

PHP

Provide your own HTTP handler to the client using httpHandler and fix up middleware to log the request and response.

Python

Use the logging module. For example:

import logging import http.customer  logging.basicConfig(level=logging.DEBUG) http.client.HTTPConnection.debuglevel=v

Red

At the elevation of your .rb file afterwards require "google/cloud/storage", add the following:

reddish Google::Apis.logger.level = Logger::DEBUG

Fault codes

The post-obit are common HTTP condition codes you lot may run across.

301: Moved Permanently

Issue: I'm setting upwardly a static website, and accessing a directory path returns an empty object and a 301 HTTP response code.

Solution: If your browser downloads a goose egg byte object and yous get a 301 HTTP response lawmaking when accessing a directory, such as http://world wide web.example.com/dir/, your bucket about likely contains an empty object of that name. To check that this is the instance and fix the effect:

1. In the Google Deject Panel, get to the Cloud Storage Browser page.

   Go to Browser

2. Click the Activate Cloud Beat push at the top of the Google Cloud Console.
3. Run gsutil ls -R gs://www.instance.com/dir/. If the output includes http://www.example.com/dir/, yous accept an empty object at that location.
4. Remove the empty object with the command: gsutil rm gs://www.example.com/dir/

Y'all tin now access http://www.case.com/dir/ and take it return that directory's alphabetize.html file instead of the empty object.

400: Bad Request

Result: While performing a resumable upload, I received this mistake and the message Failed to parse Content-Range header.

Solution: The value yous used in your Content-Range header is invalid. For example, Content-Range: */* is invalid and instead should exist specified every bit Content-Range: bytes */*. If y'all receive this fault, your electric current resumable upload is no longer active, and you lot must kickoff a new resumable upload.

Issue: Requests to a public bucket directly, or via Cloud CDN, are declining with a HTTP 401: Unauthorized and an Authentication Required response.

Solution: Check that your customer, or any intermediate proxy, is not adding an Authorization header to requests to Cloud Storage. Whatsoever request with an Authorization header, even if empty, is validated as if information technology were an authentication attempt.

403: Business relationship Disabled

Event: I tried to create a saucepan but got a 403 Account Disabled error.

Solution: This mistake indicates that you take not yet turned on billing for the associated project. For steps for enabling billing, see Enable billing for a project.

If billing is turned on and you continue to receive this mistake bulletin, you can achieve out to support with your project ID and a description of your trouble.

403: Admission Denied

Issue: I tried to listing the objects in my saucepan only got a 403 Access Denied error and/or a message similar to Anonymous caller does not take storage.objects.list access.

Solution: Bank check that your credentials are correct. For example, if you are using gsutil, check that the credentials stored in your .boto file are accurate. Also, confirm that gsutil is using the .boto file you look by using the command gsutil version -l and checking the config path(s) entry.

Assuming y'all are using the correct credentials, are your requests being routed through a proxy, using HTTP (instead of HTTPS)? If so, check whether your proxy is configured to remove the Authorization header from such requests. If so, make sure you lot are using HTTPS instead of HTTP for your requests.

403: Forbidden

Consequence: I am downloading my public content from storage.cloud.google.com, and I receive a 403: Forbidden error when I apply the browser to navigate to the public object:

https://storage.cloud.google.com/BUCKET_NAME/OBJECT_NAME        

Solution: Using storage.cloud.google.com to download objects is known as authenticated browser downloads; it always uses cookie-based authentication, even when objects are made publicly accessible to allUsers. If you have configured Data Access logs in Cloud Audit Logs to rails access to objects, one of the restrictions of that feature is that authenticated browser downloads cannot exist used to access the affected objects; attempting to do then results in a 403 response.

To avoid this issue, exercise one of the following:

• Utilise straight API calls, which support unauthenticated downloads, instead of using authenticated browser downloads.
• Disable the Cloud Storage Data Access logs that are tracking access to the afflicted objects. Be aware that Data Access logs are set at or above the project level and can be enabled simultaneously at multiple levels.
• Fix Information Access log exemptions to exclude specific users from Data Access log tracking, which allows those users to perform authenticated browser downloads.

409: Conflict

Issue: I tried to create a bucket only received the following error:

409 Conflict. Sorry, that name is not available. Delight try a different one.

Solution: The bucket name you tried to apply (e.thou. gs://cats or gs://dogs) is already taken. Deject Storage has a global namespace and then you may non name a bucket with the same name as an existing bucket. Cull a name that is not being used.

429: Too Many Requests

Event: My requests are being rejected with a 429 Too Many Requests mistake.

Solution: You are hitting a limit to the number of requests Cloud Storage allows for a given resource. Meet the Deject Storage quotas for a discussion of limits in Cloud Storage. If your workload consists of yard's of requests per 2nd to a bucket, see Request rate and access distribution guidelines for a word of best practices, including ramping up your workload gradually and avoiding sequential filenames.

Diagnosing Google Deject Panel errors

Result: When using the Google Cloud Console to perform an operation, I get a generic fault message. For instance, I see an mistake message when trying to delete a bucket, simply I don't see details for why the operation failed.

Solution: Apply the Google Cloud Console's notifications to encounter detailed information about the failed operation:

1. Click the Notifications button in the Google Cloud Console header.

   

   A dropdown displays the near recent operations performed by the Google Deject Console.

2. Click the item you want to find out more nigh.

   A page opens up and displays detailed information about the performance.

3. Click on each row to expand the detailed error information.

   Below is an instance of error information for a failed saucepan deletion operation, which explains that a saucepan retention policy prevented the deletion of the bucket.

   

gsutil errors

The following are common gsutil errors you may encounter.

gsutil stat

Result: I tried to use the gsutil stat command to display object status for a subdirectory and got an error.

Solution: Cloud Storage uses a flat namespace to shop objects in buckets. While yous can use slashes ("/") in object names to get in appear as if objects are in a hierarchical structure, the gsutil stat control treats a trailing slash as role of the object proper name.

For example, if y'all run the command gsutil -q stat gs://my-bucket/my-object/, gsutil looks up data about the object my-object/ (with a trailing slash), as opposed to operating on objects nested under my-bucket/my-object/. Unless you actually have an object with that name, the operation fails.

For subdirectory listing, employ the gsutil ls instead.

gcloud auth

Effect: I tried to authenticate gsutil using the gcloud auth control, but I still cannot access my buckets or objects.

Solution: Your system may accept both the stand-lonely and Google Deject CLI versions of gsutil installed on it. Run the command gsutil version -fifty and cheque the value for using deject sdk. If False, your system is using the stand-solitary version of gsutil when yous run commands. You can either remove this version of gsutil from your organisation, or y'all can authenticate using the gsutil config command.

Static website errors

The following are common issues that you may see when setting up a bucket to host a static website.

HTTPS serving

Event: I want to serve my content over HTTPS without using a load balancer.

Solution: Y'all can serve static content through HTTPS using direct URIs such every bit https://storage.googleapis.com/my-bucket/my-object. For other options to serve your content through a custom domain over SSL, you lot tin:

• Use a 3rd-political party Content Delivery Network with Cloud Storage.
• Serve your static website content from Firebase Hosting instead of Cloud Storage.

Domain verification

Issue: I can't verify my domain.

Solution: Normally, the verification process in Search Console directs you to upload a file to your domain, but y'all may not accept a fashion to do this without start having an associated bucket, which yous can only create after you lot accept performed domain verification.

In this case, verify ownership using the Domain name provider verification method. Come across Buying verification for steps to reach this. This verification tin can be done before the bucket is created.

Inaccessible folio

Issue: I get an Access denied fault message for a spider web page served by my website.

Solution: Bank check that the object is shared publicly. If it is not, see Making Data Public for instructions on how to do this.

If you previously uploaded and shared an object, only then upload a new version of it, so you must reshare the object publicly. This is because the public permission is replaced with the new upload.

Permission update failed

Outcome: I get an fault when I attempt to make my data public.

Solution: Make sure that you have the setIamPolicy permission for your object or bucket. This permission is granted, for case, in the Storage Admin role. If you have the setIamPolicy permission and you still become an error, your bucket might be subject to public access prevention, which does non let admission to allUsers or allAuthenticatedUsers. Public access prevention might be set on the bucket directly, or information technology might be enforced through an organization policy that is prepare at a higher level.

Content download

Outcome: I am prompted to download my folio's content, instead of being able to view it in my browser.

Solution: If you specify a MainPageSuffix as an object that does not accept a web content type, so instead of serving the folio, site visitors are prompted to download the content. To resolve this upshot, update the content-type metadata entry to a suitable value, such as text/html. Run across Editing object metadata for instructions on how to practise this.

Latency

The post-obit are common latency issues you lot might encounter. In addition, the Google Cloud Condition Dashboard provides information near regional or global incidents affecting Google Deject services such as Cloud Storage.

Upload or download latency

Issue: I'm seeing increased latency when uploading or downloading.

Solution: Use the gsutil perfdiag command to run performance diagnostics from the afflicted environment. Consider the following common causes of upload and download latency:

• CPU or memory constraints: The affected environs's operating system should have tooling to measure local resource consumption such as CPU usage and retentivity usage.

• Disk IO constraints: As part of the gsutil perfdiag control, use the rthru_file and wthru_file tests to gauge the performance bear on caused by local disk IO.

• Geographical distance: Performance tin be impacted by the physical separation of your Cloud Storage bucket and affected environment, especially in cross-continental cases. Testing with a bucket located in the same region as your afflicted surround can identify the extent to which geographic separation is contributing to your latency.

  • If applicable, the affected environment'southward DNS resolver should use the EDNS(0) protocol so that requests from the surround are routed through an appropriate Google Front end End.

gsutil or client library latency

Issue: I'k seeing increased latency when accessing Cloud Storage with gsutil or one of the client libraries.

Solution: Both gsutil and customer libraries automatically retry requests when it'due south useful to do so, and this behavior tin finer increase latency equally seen from the end user. Apply the Cloud Monitoring metric storage.googleapis.com/api/request_count to see if Cloud Storage is consistenty serving a retryable response code, such as 429 or 5xx.

Proxy servers

Event: I'thou connecting through a proxy server. What practise I need to do?

Solution: To access Cloud Storage through a proxy server, you must allow access to these domains:

• accounts.google.com for creating OAuth2 authentication tokens via gsutil config
• oauth2.googleapis.com for performing OAuth2 token exchanges
• *.googleapis.com for storage requests

If your proxy server or security policy doesn't support whitelisting by domain and instead requires whitelisting past IP network block, we strongly recommend that yous configure your proxy server for all Google IP accost ranges. You lot can find the address ranges by querying WHOIS information at ARIN. As a best practice, you should periodically review your proxy settings to ensure they match Google'due south IP addresses.

We do not recommend configuring your proxy with individual IP addresses you lot obtain from 1-time lookups of oauth2.googleapis.com and storage.googleapis.com. Because Google services are exposed via DNS names that map to a large number of IP addresses that can change over time, configuring your proxy based on a one-time lookup may lead to failures to connect to Cloud Storage.

If your requests are beingness routed through a proxy server, you may demand to check with your network administrator to ensure that the Authorization header containing your credentials is not stripped out by the proxy. Without the Authorization header, your requests are rejected and you receive a MissingSecurityHeader error.

What's adjacent

• Larn almost your support options.
• Notice answers to additional questions in the Cloud Storage FAQ.
• Explore how Error Reporting can help you identify and understand your Cloud Storage errors.

wenmislivend.blogspot.com

Source: https://cloud.google.com/storage/docs/troubleshooting