I can't seem to get the IAM roles to work for Google Cloud Storage.
Whatever I try I get the 403 error with the message : [MY_SERVICE_ACCOUNT].iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Same goes for .get method.
On an other post I saw someone's fix was to delete his service account and recreating one, so I tried this :
- Removing every right from the old service account
- Removing the linked access key
- Removing the service account itself
On the Firebase console, I could see that the service account was deleted, so i created a new one from there. Then on google-cloud console:
- In the IAM section I added the role "Storage Admin" to my service account
- I added my service account as a member to my bucket with the role set as "Storage Admin" (following this : https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_cloud-data-access/content/edit-bucket-permissions.html)
To summarize I now have a service account with the roles :
- Firebase Admin SDK Administrator Service Agent
- Storage Admin
I have set my bucket's Access control to Uniform and made sure my service access was in it's members with the roles :
- Storage Admin
- Firebase Admin SDK Administrator Service Agent
In firebase console I put the original rules of :
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write;
}
}
}
I use the Node package like so :
var admin = require("firebase-admin");
var serviceAccount = require('./my-sa-config.json');
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
storageBucket: "xxx.appspot.com"
});
const storage = admin.storage();
const bucket = storage.bucket('users');
bucket.getFiles()
.then((data) => {
console.log(data);
})
.catch((err) => console.error(err));
If anyone has any hint of where it could come from I would very much appreciate the help.
Thanks