I am trying to copy files to a Google Cloud bucket and getting a permissions error. i.e. Failed to copy: googleapi: Error 403: user@example.com does not have storage.objects.delete access to...
I'm not sure why I need delete permissions for a copy command. It's my intention to only assign write and read/list commands to prevent an attacker from deleting backups.
What is your rclone version (output from rclone version)
rclone v1.54.0
os/arch: linux/amd64
go version: go1.15.7
Which OS you are using and how many bits (eg Windows 7, 64 bit)
Ubuntu 20.04 with 64 bit 5.4.78-2-pve kernel, running in a Linux container.
Which cloud storage system are you using? (eg Google Drive)
Google Cloud
The command you were trying to run (eg rclone copy /tmp remote:tmp)
Paste command here
rclone copy /mnt/cameras CryptCameras:lalala
The rclone config contents with secrets removed.
[GoogleCloud]
type = google cloud storage
storage_class = COLDLINE
token = {"access_token":","token_type":"Bearer","refresh_token":"","expiry":"2021-02-20T14:48:57.699451649-06:00"}
project_number =
object_acl = private
bucket_acl = private
location = us
[CryptCameras]
type = crypt
remote = GoogleCloud:lalala
filename_encryption = standard
directory_name_encryption = true
password =
password2 = ```
#### A log from the command with the `-vv` flag
<!-- You should use 3 backticks to begin and end your paste to make it readable. Or use a service such as https://pastebin.com or https://gist.github.com/ -->
https://pastebin.com/mypHwmq7
So it looks like rclone tried to delete the file at the end of hte transfer. This can happen if the transfer was corrupt, but there should have been a log Removing failed copy if that happened.
Can you do your command with -vv --dump headers and post that output please?
I've posted the requested logs here. Since I'm not sure if it will expose authentication information, I've password-protected the post. I'll send it to you in a DM.
2021/02/24 10:29:04 ERROR : driveway/datadir0/hiv00002.mp4: Failed to copy: googleapi: Error 403: nothing@example.com does not have storage.objects.delete access to 2nynoj984pyy79bb/noi3lv762damf4mpdu3icjrnkc/7ng18l9ik1j4er938jimasifas/t8b0m31mbo2nrd1k0ink6pirss., forbidden
That is strange because this is the second part of a multipart upload, and the first part went fine
The only thing I can think of is that is overwriting an existing file - could that be the case?
Yes, that file does exist. Does this happen because the initial transfer was interrupted? Would this additional permission be needed for this scenario?
I was able to successfully copy my data with the permission added. Thanks for your help.
Perhaps a feature can be added to avoid this. Maybe it would append a -2 or something to the end of the file with a flag like --no-del. Just throwing some ideas out here.