python - service account does not have storage.objects.get access for Google Cloud Storage

30
votes

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.admin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectCreator

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

So why would the selected role not be sufficient in this context?

3
pythongoogle-cloud-platformgoogle-cloud-storageservice-accounts
Could you share the code you're using? Also could you tell me more about how this service account is set to be used by the client library?Frank Natividad
@FrankNatividad This is what questions (and upvotes) are for. Why not post such a question (and link to it from here, so that I can notice it as well)?Drux
It looks there's a bug in gcloud. I've come across the same problem. Roles assigned but always permission denied from the command line, which dissapeared after removing service account and creating another one.Lukasz Frankowski
In case this helps anyone in the future: I had a similar problem but had to reboot my IDE (PyCharm) after granting the correct permissions.Sofie VL

3 Answers

16
votes

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

  • removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
  • deleted my_sa under IAM & Admin / Service accounts
  • recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

  • my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
  • my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions
8
votes

It's worth to note, that you need to wait a minute or something for permissions to be working in case you just assigned them. At least that's what happened to me after:

gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:[email protected]" --role "roles/storage.objectViewer"
3
votes

Go to your bucket's permissions section and open add permissions section for your bucket. For example, insufficient service, which gcloud tells you, is;

[email protected]

Add this service as user then give these roles;

  • Cloud Storage - Storage Admin
  • Cloud Storage - Storage Object Admin
  • Cloud Storage - Storage Object Creator

Then you should have sufficient permissions to make changes on your bucket.