Configure GCP bucket for snapshot


(Nikhil Pawar) #1

Hi ,
I have ES cluster running on GCP instances. I am trying to configure GCP bucket for snapshots but unable to add gcp service-account.json (credential file to ES keystore ) can someone advise on this , how to add it setting and a credential file to keystore and configure this .

/usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.es-snap-agent.elasticsearch_gserviceaccount

my gcp service act - elasticsearch_gserviceaccount

[root@es-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.default.elasticsearch_gserviceaccount
A tool for managing settings stored in the elasticsearch keystore

Commands
--------
create - Creates a new elasticsearch keystore
list - List entries in the keystore
add - Add a string setting to the keystore
add-file - Add a file setting to the keystore
remove - Remove a setting from the keystore

Non-option arguments:
command

Option         Description
------         -----------
-h, --help     show help
-s, --silent   show minimal output
-v, --verbose  show verbose output
ERROR: Missing file name

(David Turner) #2

This is the clue, but the docs are unclear so I opened #35433. The command should be:

elasticsearch-keystore add-file gcs.client.default.credentials_file FILENAME

where FILENAME is the name of your credentials file. Note that the setting name is gcs.client.NAME.credentials_file where NAME is normally default, which is not what you're using.


(Nikhil Pawar) #3

Hi David .

I tried to change the default name . But in cmd line if you check i did used default earlier .

But as per your advise

[root@elasticsearch-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add-file gcs.client.default.elasticsearch_gserviceaccount elasticsearch_gserviceaccount
Setting gcs.client.default.elasticsearch_gserviceaccount already exists. Overwrite? [y/N]y
[root@elasticsearch-node-1-us-east4-a-96182b elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore list
gcs.client.default.elasticsearch_gserviceaccount
keystore.seed

I do face problem in next step now

curl --cacert /etc/elasticsearch/certs/digicertca-chain.cert -X PUT -u elastic "https://elasticsearch-node-2.jabodo.com:9200/_snapshot/iacapps_gcs_repository" -H 'Content-Type: application/json' -d'
> {
>   "type": "gcs",
>   "settings": {
>     "bucket": "iacapps-es-snapshots",
>     "client": "default"
>   }
> }
> '
Enter host password for user 'elastic':
{"error":{"root_cause":[{"type":"blob_store_exception","reason":"Unable to check if bucket [iacapps-es-snapshots] exists"}],"type":"repository_exception","reason":"[iacapps_gcs_repository] cannot create blob store","caused_by":{"type":"blob_store_exception","reason":"Unable to check if bucket [iacapps-es-snapshots] exists","caused_by":{"type":"security_exception","reason":"access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"}}},"status":500}

looks like permission issue. But service act has storage admin permissions . How do i troubleshoot this


(David Turner) #4

Could you share the stack trace from this exception, which you will find in the node logs?


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.