My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket

0
votes

I am using Ubuntu in a VM on Google cloud. I have a .sh script which backs up files to a bucket. When I attempt to run the script, it throws me an error:

AccessDeniedException: 403 [email protected] does not have storage.objects.list access to the Google Cloud Storage bucket.

I gave the service account admin permissions for storage. The account is activated and everything. How do I fix this?

1
google-cloud-platformgoogle-cloud-storage
Add the service account to the bucket as "Storage legacy bucket Owner". Storage > Select bucket > Permission Tab > Add the SA as Storage Legacy bucket Owner then give a tryMahboob
@Mahboob, I just did, the same error still surfaces.Konstantin Astafurov
As per the FAQ, Why can a user not access resources shortly after permission is granted, or continue to access resources after permission is removed? In general, it takes fewer than 60 seconds for a member's access to be granted or revoked. However, under certain circumstances, it may take up to 7 minutes for these changes to fully propagate across the system.Mahboob
Check which Cloud API access scopes are assigned to the Compute Engine instance in the Google Cloud Console.John Hanley
@JohnHanley is right, I think you need to set Storage API to Full on your Ubuntu VM. Usually Ubuntu VM has Read Only access to the bucket.Mahboob

1 Answers

1
votes

Since you are executing the script from the Ubuntu VM and Ubuntu VM usually have the access scope to read only. This might be blocking to upload backup file to GCS bucket.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.

Also using the gcloud command you can change the access scope.

gcloud compute instances set-service-account [INSTANCE_NAME] \
   [--service-account [SERVICE_ACCOUNT_EMAIL] | --no-service-account] \
   [--no-scopes | --scopes [SCOPES,...]]

Once your instance turned off you can set the access scope for Storage to Full and I think it will work for you as you have assigned Storage Admin roles to Service Account.