GoogleStorage 403 : xxx-iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket

0
votes

I can't seem to get the IAM roles to work for Google Cloud Storage.

Whatever I try I get the 403 error with the message : [MY_SERVICE_ACCOUNT].iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Same goes for .get method.

On an other post I saw someone's fix was to delete his service account and recreating one, so I tried this :

  1. Removing every right from the old service account
  2. Removing the linked access key
  3. Removing the service account itself

On the Firebase console, I could see that the service account was deleted, so i created a new one from there. Then on google-cloud console:

To summarize I now have a service account with the roles :

  • Firebase Admin SDK Administrator Service Agent
  • Storage Admin

I have set my bucket's Access control to Uniform and made sure my service access was in it's members with the roles :

  • Storage Admin
  • Firebase Admin SDK Administrator Service Agent

In firebase console I put the original rules of :

rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}

I use the Node package like so :

var admin = require("firebase-admin");

var serviceAccount = require('./my-sa-config.json');

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount),
  storageBucket: "xxx.appspot.com"
});

const storage = admin.storage();
const bucket = storage.bucket('users');

bucket.getFiles()
.then((data) => {
    console.log(data);
})
.catch((err) => console.error(err));

If anyone has any hint of where it could come from I would very much appreciate the help.

Thanks

1
firebasegoogle-cloud-platformgoogle-cloud-storagefirebase-admin
are you following any guide? what do you want to do with the bucket?Enrique Del Valle
I want to write a method that automatically deletes a bunch of unused files from the bucket. But I'm not anywhere near it, because as soon as I try to list files, the error is thrown. I got the code above from firebase.google.com/docs/storage/admin/start and used this reference for the IAM roles : cloud.google.com/storage/docs/access-control/iam-rolesLucasBeef
One other thing to note is that as it stands I can manage to browse and edit my Firestore database : no error is thrown. So I must have missed something when it comes to accessing a bucket with a service account.LucasBeef
Do you want to use a default or custom bucket? What do you want to do in these lines "const bucket = storage.bucket('users'); const storage = admin.storage();?Enrique Del Valle
@EnriqueDelValle, your comment made me realise my mistake. I try to access a folder called 'users' that's inside my bucket with this line const bucket = storage.bucket('users'). Whereas it tries to access the bucket named 'users'.LucasBeef

1 Answers

2
votes

Ok, I'll just post the answer if anyone makes the same mistake I did.

I used this line because I wanted to access the folder "users" from my default bucket.

const bucket = storage.bucket('users');

The parameter is used to specify a different bucket, not a folder. Well, I don't have a bucket called "users", so it triggers the 403 forbidden access error wich mislead me into thinking it was a role issue.