service account does not have storage.objects.get access for Google Cloud Storage

D

8

75

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.admin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectCreator

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

So why would the selected role not be sufficient in this context?

Docia answered 18/7, 2018 at 20:38 Comment(5)

Could you share the code you're using? Also could you tell me more about how this service account is set to be used by the client library? – Annam 21/7, 2018 at 2:21

@FrankNatividad This is what questions (and upvotes) are for. Why not post such a question (and link to it from here, so that I can notice it as well)? – Docia 21/7, 2018 at 5:52

It looks there's a bug in gcloud. I've come across the same problem. Roles assigned but always permission denied from the command line, which dissapeared after removing service account and creating another one. – Foretop 28/10, 2018 at 20:33

In case this helps anyone in the future: I had a similar problem but had to reboot my IDE (PyCharm) after granting the correct permissions. – Hereunto 3/4, 2020 at 18:14

Quick note: the role has to be assigned on the bucket (not in the Service account's permission tab ...) – Stormystorting 22/8, 2023 at 16:47

D

28

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
deleted my_sa under IAM & Admin / Service accounts
recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions

Docia answered 19/7, 2018 at 3:41 Comment(1)

Happy to hear you solved the issue. Principally, if a service account has Storage Admin role it should be able to create a bucket no matter what additional roles it has. I try to reproduce this issue, having a service account with three roles storage.admin, storage.objectAdmin, and storage.objectCreator; I confirm I can create a bucket using that service account. Can you double check by adding these additional roles if the issue still continues on your side? – Saltant 19/7, 2018 at 13:36

F

38

Go to your bucket's permissions section and open add permissions section for your bucket. For example, insufficient service, which gcloud tells you, is;

[email protected]

Add this service as user then give these roles;

Cloud Storage - Storage Admin
Cloud Storage - Storage Object Admin
Cloud Storage - Storage Object Creator

Then you should have sufficient permissions to make changes on your bucket.

Footstone answered 18/3, 2021 at 19:25 Comment(1)

Thanks, this worked for me. While my actual username was added with all the permissions, it worked only when I added [email protected] this principal – Alexandra 5/5, 2022 at 6:31

D

28

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
deleted my_sa under IAM & Admin / Service accounts
recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions

Docia answered 19/7, 2018 at 3:41 Comment(1)

Happy to hear you solved the issue. Principally, if a service account has Storage Admin role it should be able to create a bucket no matter what additional roles it has. I try to reproduce this issue, having a service account with three roles storage.admin, storage.objectAdmin, and storage.objectCreator; I confirm I can create a bucket using that service account. Can you double check by adding these additional roles if the issue still continues on your side? – Saltant 19/7, 2018 at 13:36

S

24

It's worth noting, that you need to wait up to a few minutes for permissions to be working in case you just assigned them. At least that's what happened to me after:

gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:[email protected]" --role "roles/storage.objectViewer"

Spinks answered 27/11, 2020 at 11:39 Comment(1)

This is exactly what happened to me with fresh app engine deployment via gcloud app deploy. – Gunslinger 8/3, 2021 at 21:1

U

4

I just realized this happens some times when you are just creating the Firebase/Firestore/Storage project by first time.

If you got this error in your first installation/deploy/setup, just wait 1 minute and try again. Seems like some delays in the Google Cloud deploys/serving are responsible of this.

Upbuild answered 30/6, 2022 at 7:22 Comment(0)

M

3

For me, it worked after I added the associated email in the IAM page by the folowing steps. ChatGPT helps me on this btw.

Go to the Google Cloud Console at https://console.cloud.google.com/.
Select the project associated with your Firebase project.
Open the "IAM & admin" page from the left-hand menu.
Click the "ADD" button to add a new member to the project.
Enter the email address. For me it was in the following format. [email protected]
Select the role Storage Object Creator or Storage Object Admin from the dropdown menu.
Click the "SAVE" button to save the changes.

Mackintosh answered 25/4, 2023 at 16:34 Comment(0)

F

1

For me, it was because deployed with the "default-bucket" as parameter needed for the storage emulator.

admin.storage().bucket('default-bucket'); // do not deploy that

To fix it, I set the default bucket name at the initialization of the firebase admin.

const admin = require('firebase-admin');

const config = process.env.FUNCTIONS_EMULATOR ? {
    storageBucket: 'default-bucket',
} : {
    storageBucket: 'YOUT_FIREBASE_STORAGE_BUCKET',
};

admin.initializeApp(config);

const bucket = admin.storage().bucket();

Feed answered 24/9, 2021 at 10:41 Comment(2)

I had the same issue! I had all the proper permissions, but using the wrong bucket name resulted in a "permission" error, which was pretty misleading. – Debatable 1/4, 2022 at 20:18

I mean... in google's defense... there might be a bucket named "default-bucket", and you don't have access to it :) – Sump 21/6, 2022 at 21:40

K

1

I got this error when I copied a cloud function from another project because I forgot to update the storage bucket. Silly mistake.

admin.initializeApp({
  storageBucket: "gs://*****.appspot.com",
});

Kindle answered 11/9, 2022 at 8:57 Comment(0)

W

0

in my case, after the service account is created, interface returns error: "service account does not have storage.objects.get access for Google Cloud Storage".

But, When I tried again the next day, everything was fine :)

Withstand answered 1/12, 2022 at 3:8 Comment(1)

I am having the same issue, @fgd. In GCP I've set Storage Object Admin permissions, however I am using Firebase Storage instead. – Expression 4/3, 2023 at 15:19

Recommended topics

Hot tags