service account does not have storage.objects.get access for Google Cloud Storage

Question

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.admin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectAdmin
- members:
  - serviceAccount:my_sa@my_project.iam.gserviceaccount.com
  role: roles/storage.objectCreator

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

So why would the selected role not be sufficient in this context?

Could you share the code you're using? Also could you tell me more about how this service account is set to be used by the client library? — Frank Natividad, Jul 21 '18 at 02:21
@FrankNatividad This is what questions (and upvotes) are for. Why not post such a question (and link to it from here, so that I can notice it as well)? — Drux, Jul 21 '18 at 05:52
It looks there's a bug in gcloud. I've come across the same problem. Roles assigned but always permission denied from the command line, which dissapeared after removing service account and creating another one. — Lukasz Frankowski, Oct 28 '18 at 20:33
In case this helps anyone in the future: I had a similar problem but had to reboot my IDE (PyCharm) after granting the correct permissions. — Sofie VL, Apr 03 '20 at 18:14
Quick note: the role has to be assigned ***on the bucket*** (***not*** in the Service account's permission tab ...) — jave.web, Aug 22 '23 at 16:47

score 26 · Accepted Answer · answered Jul 19 '18 at 03:41

26

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
deleted my_sa under IAM & Admin / Service accounts
recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions

answered Jul 19 '18 at 03:41

Drux

11,992
13
66
116

5

Happy to hear you solved the issue. Principally, if a service account has Storage Admin role it should be able to create a bucket no matter what additional roles it has. I try to reproduce this issue, having a service account with three roles storage.admin, storage.objectAdmin, and storage.objectCreator; I confirm I can create a bucket using that service account. Can you double check by adding these additional roles if the issue still continues on your side? – Yurci Jul 19 '18 at 13:36

score 25 · Answer 2 · answered Mar 18 '21 at 19:25

25

Go to your bucket's permissions section and open add permissions section for your bucket. For example, insufficient service, which gcloud tells you, is;

1234567890-compute@developer.gserviceaccount.com

Add this service as user then give these roles;

Cloud Storage - Storage Admin
Cloud Storage - Storage Object Admin
Cloud Storage - Storage Object Creator

Then you should have sufficient permissions to make changes on your bucket.

answered Mar 18 '21 at 19:25

nour

398
3
7

2

Thanks, this worked for me. While my actual username was added with all the permissions, it worked only when I added 1234567890-compute@developer.gserviceaccount.com this principal – Rishabh Gupta May 05 '22 at 06:31

score 21 · Answer 3 · edited May 19 '22 at 21:05

21

It's worth noting, that you need to wait up to a few minutes for permissions to be working in case you just assigned them. At least that's what happened to me after:

gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:xxx@xxx.iam.gserviceaccount.com" --role "roles/storage.objectViewer"

edited May 19 '22 at 21:05

Kevin Danikowski

4,620
6
41
75

answered Nov 27 '20 at 11:39

0Pat

341
3
9

This is exactly what happened to me with fresh app engine deployment via `gcloud app deploy`. – Ville Mar 08 '21 at 21:01

score 4 · Answer 4 · answered Jun 30 '22 at 07:22

I just realized this happens some times when you are just creating the Firebase/Firestore/Storage project by first time.

If you got this error in your first installation/deploy/setup, just wait 1 minute and try again. Seems like some delays in the Google Cloud deploys/serving are responsible of this.

score 1 · Answer 5 · answered Sep 24 '21 at 10:41

1

For me, it was because deployed with the "default-bucket" as parameter needed for the storage emulator.

admin.storage().bucket('default-bucket'); // do not deploy that

To fix it, I set the default bucket name at the initialization of the firebase admin.

const admin = require('firebase-admin');

const config = process.env.FUNCTIONS_EMULATOR ? {
    storageBucket: 'default-bucket',
} : {
    storageBucket: 'YOUT_FIREBASE_STORAGE_BUCKET',
};

admin.initializeApp(config);

const bucket = admin.storage().bucket();

answered Sep 24 '21 at 10:41

Yairopro

9,084
6
44
51

3

I had the same issue! I had all the proper permissions, but using the wrong bucket name resulted in a "permission" error, which was pretty misleading. – theicfire Apr 01 '22 at 20:18
I mean... in google's defense... there might be a bucket named "default-bucket", and you don't have access to it :) – Michael Delgado Jun 21 '22 at 21:40

score 1 · Answer 6 · answered Sep 11 '22 at 08:57

1

I got this error when I copied a cloud function from another project because I forgot to update the storage bucket. Silly mistake.

admin.initializeApp({
  storageBucket: "gs://*****.appspot.com",
});

answered Sep 11 '22 at 08:57

Rens

489
5
11

score 1 · Answer 7 · answered Apr 25 '23 at 16:34

For me, it worked after I added the associated email in the IAM page by the folowing steps. ChatGPT helps me on this btw.

Go to the Google Cloud Console at https://console.cloud.google.com/.
Select the project associated with your Firebase project.
Open the "IAM & admin" page from the left-hand menu.
Click the "ADD" button to add a new member to the project.
Enter the email address. For me it was in the following format. firebase-adminsdk-xxxxx@xxxxx-xxxxx.iam.gserviceaccount.com
Select the role Storage Object Creator or Storage Object Admin from the dropdown menu.
Click the "SAVE" button to save the changes.

score 0 · Answer 8 · answered Dec 01 '22 at 03:08

0

in my case, after the service account is created, interface returns error: "service account does not have storage.objects.get access for Google Cloud Storage".

But, When I tried again the next day, everything was fine :)

answered Dec 01 '22 at 03:08

fgd

21
2

I am having the same issue, @fgd. In GCP I've set `Storage Object Admin` permissions, however I am using Firebase Storage instead. – gesf Mar 04 '23 at 15:19

service account does not have storage.objects.get access for Google Cloud Storage

8 Answers8

Linked