Service Account does not have storage.objects.get access to the Google Cloud Storage object

1
votes

I have set up a new Firestore environment, and when attempting to upload and then read data from storage via cloud functions, I get the following error:

project_id@appspot.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.

I have looked online and within the Google cloud console I have added the IAM permission of Storage Admin to this service account, but I am still getting this same error.

Has anyone had this issue before? I have also tried just giving Owner role to the service account, but still get the same error.

2
firebasegoogle-cloud-functionsgoogle-cloud-storagegoogle-developers-consolegoogle-cloud-iam
Can you share your Cloud Function code? and in particular the way you initialize the admin app. - Renaud Tarnec
Are you accessing the bucket of the current project? Is cloud storage API activated on the project? - guillaume blaquiere

2 Answers

3
votes

Storage Admin role has storage.objects.* permissions and thus should be more than enough.

I recommend you to try the following options:

  1. Check whether Cloud Storage API is enabled or not. If not, enable API.

  2. Remove the Storage Admin role from your service account and then add it again. Make sure to wait for a couple of minutes so that the roles could propagate properly.

  3. If the above option doesn't work for you, try giving the service account the Storage Object Viewer role separately

1
votes

Make sure that you are using the correct buckets & objects in function. Also make sure that you are using the bucket of the current project.

The service account mentioned by you is app engine default service account. No need to change its permissions. If you already change the permissions then revert the changes to editor/owner.

Hope you didn't switch between Uniform and fine-grained access controls. If you did that please revert.