service account does not have storage.objects.get access for Google Cloud Storage
I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).
gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.admin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- members:
- serviceAccount:my_sa@my_project.iam.gserviceaccount.com
role: roles/storage.objectCreator
And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).
But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.
So why would the selected role not be sufficient in this context?
Answer
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.
These steps resolved the issue:
- removed all (three) roles for the offending service account (member)
my_saunderIAM & Admin/IAM - deleted
my_saunderIAM & Admin/Service accounts - recreated
my_sa(again with roleStorage/Storage Admin)
Effects are like this:
my_sashows up with one role (Storage Admin) underIAM & Admin/IAMmy_sashows up as member underStorage/Browser/my_bucket/Edit bucket permissions