GCS Repository creation Issue


We have recently upgraded our ES version from 5.6 to 6.0. After that we are facing issue in taking snapshot of data.

In 6.0 ES, service.account option from repository has been removed so we need to add authentication key in elastic keystore.

We have added GCS authentication key on all servers via below command-

cat /opt/elasticsearch-6.0.0/config/gcs-secure-52144da29c6e.json | /opt/elasticsearch-6.0.0/bin/elasticsearch-keystore add gcs.account

Then we tried to create repository using below command:

PUT /_snapshot/gcs_repository_new?pretty
  "type": "gcs",
  "settings": {
     "bucket": "my-bucket",
     "client": "gcs.account"

It is giving below error:

  "error": {
    "root_cause": [
        "type": "repository_verification_exception",
        "reason": "[gcs_repository_new] path  is not accessible on master node"
    "type": "repository_verification_exception",
    "reason": "[gcs_repository_new] path  is not accessible on master node",
    "caused_by": {
      "type": "i_o_exception",
      "reason": "403 Forbidden\n{\n  \"code\" : 403,\n  \"errors\" : [ {\n    \"domain\" : \"global\",\n    \"message\" : \"Insufficient Permission\",\n    \"reason\" : \"insufficientPermissions\"\n  } ],\n  \"message\" : \"Insufficient Permission\"\n}"
  "status": 500

It would be great help if anyone can share suggestions to resolve this issue.

Actually I don't understand. Are you running this from GCE instance?

If so, you just need to follow: https://www.elastic.co/guide/en/elasticsearch/plugins/current/repository-gcs-usage.html#repository-gcs-using-compute-engine

Which means that you don't need to set client

If not, then you need to follow this: https://www.elastic.co/guide/en/elasticsearch/plugins/current/repository-gcs-usage.html#repository-gcs-using-service-account

gcs.client.NAME.credentials_file is the thing you need to define.

And then define "client": "NAME".

Can you clarify what you are doing?

We are running everything from GCE instances but I was not aware that it can use built in Google authentication to access the storage so till now we were using service account mechanism to take data snapshots till ElasticSearch version 5.6.x.

I just checked about my GCE instances if they are configured with Read/Write access to storage or not. Unfortunately all instances are created with only READ access so we won't be able to use built in authentication mechanism.

Reg service account mechanism:
Where we need to define this setting gcs.client.NAME.credentials_file ?
We added credential file using elastic-keystore tool of ES as defined in mail trail. Then we created repository using client option but thrown an error of "path is not accessible".

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.