Google Cloud API Service authorisation failure - forbidden access

Asked 25/3, 2018 at 12:34 Answered 4/8, 2020 at 3:54

Solved java google-cloud-platform google-cloud-datastore google-cloud-storage

I am currently receiving the following error when attempting to access the google cloud service via a java client:

Caused by: 
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 
Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "xyz.iam.gserviceaccount.com does not have 
    storage.buckets.list access to project 123456.",
    "reason" : "forbidden"
  } ],
  "message" : "xyz.iam.gserviceaccount.com does not have 
storage.buckets.list access to project 123456."
}

So far I have:

Installed and authorised the sdk with the login details of the google cloud account
Added the GOOGLE_APPLICATION_CREDENTIALS of the service account xyz to my environment variable with the path to the json key
Given the service account (xyz) permissions for the given project (123456)
Enabled permissions to the Storage API and the Speech API (the intended target in the future)

How do I provide access to a service account for a given list or api for a given project?

Cleareyed answered 25/3, 2018 at 12:34 Comment(1)

Is the Storage Bucket in the same project as the service account? – Athal 26/3, 2018 at 3:44

The message is very specific and doesn't leave much room for doubt, but if there is an issue please share the roles currently assigned to your service account:

"xyz.iam.gserviceaccount.com does not have storage.buckets.list access to project 123456."

It could be that the role you have assigned to your service account in https://console.cloud.google.com/iam-admin/iam/project doesn't have the storage.buckets.list access.

In order to see if the specific role has the storage.buckets.list access, search for that access in https://console.cloud.google.com/iam-admin/roles. This will output list of roles that have this access and you can see if you service account has one of the or not.

Lamellirostral answered 29/4, 2018 at 11:47 Comment(2)

The roles list shows that this particular role is Enabled but I am still getting this error – Hurd 2/10, 2020 at 14:13

@ShubhamGoel Sorry, it is not clear what do you mean by "role list". If you are referring to the "Role" tab give an "access" it will show which roles have it. You have to then assign those roles in IAM tab. – Lamellirostral 6/10, 2020 at 6:42

You need to provide the Service Account with "Storage Admin" access. This can be found in https://console.cloud.google.com/iam-admin/iam?project={your-project}

Click the pencil under "Inheritance" to edit the permissions.

Differentia answered 4/8, 2020 at 3:54 Comment(0)

It could also be that you set a project that does not exist. For example by running the following on the gcloud cli gcloud config set project personal, whereas the actual ID of the project is personal-267000 as below

gcloud projects list | grep personal personal-267000 personal 203784673875

So, once you set it up correctly, gcloud config set project personal-267000, your commands should work nicely. The easiest way to test is by triggering the following cli command gsutil ls. Don't forget to make sure that you're using the account you want as well : gcloud config configurations list

Softball answered 2/2, 2020 at 0:19 Comment(0)

If the bucket in use is in your project, you can always try running the gsutil ch command as your user:

gsutil acl ch -u [email protected]:WRITE gs://your-bucket

Robinia answered 29/3, 2018 at 14:15 Comment(0)

Recommended topics

Hot tags