I have created a service account in Google Cloud Console and selected role Storage
/ Storage Admin
(i.e. full control of GCS resources).
gcloud projects get-iam-policy my_project
seems to indicate that the role was actually selected:
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectCreator
And documentation clearly indicates that role roles/storage.admin
comprises permissions storage.objects.*
(as well as storage.buckets.*
).
But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.
So why would the selected role not be sufficient in this context?
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.
These steps resolved the issue:
my_sa
under IAM & Admin
/ IAM
my_sa
under IAM & Admin
/ Service accounts
my_sa
(again with role Storage
/ Storage Admin
)Effects are like this:
my_sa
shows up with one role (Storage Admin
) under IAM & Admin
/ IAM
my_sa
shows up as member under Storage
/ Browser
/ my_bucket
/ Edit bucket permissions