service account does not have storage.objects.get access for Google Cloud Storage

Drux picture Drux · Jul 18, 2018 · Viewed 26.7k times · Source

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.admin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectCreator

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

So why would the selected role not be sufficient in this context?

Answer

Drux picture Drux · Jul 19, 2018

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

  • removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
  • deleted my_sa under IAM & Admin / Service accounts
  • recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

  • my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
  • my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions