Configure GCP bucket for snapshot

Hi ,
I have ES cluster running on GCP instances. I am trying to configure GCP bucket for snapshots but unable to add gcp service-account.json (credential file to ES keystore ) can someone advise on this , how to add it setting and a credential file to keystore and configure this .

/usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.es-snap-agent.elasticsearch_gserviceaccount

my gcp service act - elasticsearch_gserviceaccount

[root@es-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.default.elasticsearch_gserviceaccount
A tool for managing settings stored in the elasticsearch keystore

Commands
--------
create - Creates a new elasticsearch keystore
list - List entries in the keystore
add - Add a string setting to the keystore
add-file - Add a file setting to the keystore
remove - Remove a setting from the keystore

Non-option arguments:
command

Option         Description
------         -----------
-h, --help     show help
-s, --silent   show minimal output
-v, --verbose  show verbose output
ERROR: Missing file name

This is the clue, but the docs are unclear so I opened #35433. The command should be:

elasticsearch-keystore add-file gcs.client.default.credentials_file FILENAME

where FILENAME is the name of your credentials file. Note that the setting name is gcs.client.NAME.credentials_file where NAME is normally default, which is not what you're using.

Hi David .

I tried to change the default name . But in cmd line if you check i did used default earlier .

But as per your advise

[root@elasticsearch-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.default.elasticsearch_gserviceaccount elasticsearch_gserviceaccount
Setting gcs.client.default.elasticsearch_gserviceaccount already exists. Overwrite? [y/N]y
[root@elasticsearch-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore list
gcs.client.default.elasticsearch_gserviceaccount
keystore.seed

I do face problem in next step now

curl --cacert /etc/elasticsearch/certs/digicertca-chain.cert -X PUT -u elastic "https://elasticsearch-node-2.jabodo.com:9200/_snapshot/iacapps_gcs_repository" -H 'Content-Type: application/json' -d'
> {
>   "type": "gcs",
>   "settings": {
>     "bucket": "iacapps-es-snapshots",
>     "client": "default"
>   }
> }
> '
Enter host password for user 'elastic':
{"error":{"root_cause":[{"type":"blob_store_exception","reason":"Unable to check if bucket [iacapps-es-snapshots] exists"}],"type":"repository_exception","reason":"[iacapps_gcs_repository] cannot create blob store","caused_by":{"type":"blob_store_exception","reason":"Unable to check if bucket [iacapps-es-snapshots] exists","caused_by":{"type":"security_exception","reason":"access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"}}},"status":500}

looks like permission issue. But service act has storage admin permissions . How do i troubleshoot this

Could you share the stack trace from this exception, which you will find in the node logs?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.