GCP - Not able to list objects inside Bucket even having devstorage.read_only permission?

Question

I have created a EC2 instance, which creates by default service account with default permissions. So when I checked the default permissions I found that the service account is all these permissions below.

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.append

Now I tried to list all the objects inside the bucket by using the command:-

gsutil ls gs://mybucketname

Found an error

AccessDeniedException: 403 XXXX@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.

Why I am getting this error even though my service account user is having devstorage.read_only?

And I am very new to GCP here, so let me know.

marian.vladoi · Accepted Answer · 2020-11-19T13:47:17.790

Please read the official documentation regarding the difference between setting the service account level of access with IAM roles and setting the GCE instance's access scopes:

Service account permissions

When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.

Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth. However, they do not extend to other authentication protocols like gRPC.

Essentially:

IAM restricts access to APIs based on the IAM roles that are granted to the service account.

Access scopes potentially further limit access to API methods when authenticating through OAuth.

Therefore I would recomend to add an IAM role with storage.objects.list permission to your instance service account (maybe roles/storage.legacyBucketReader).

Yup! Got a clear picture. I was confused with Roles and IAM user. Now this gives a clear picture about it. I moved from AWS to GCP so was lillte confusde — AWS Learning, Nov 19 '20 at 13:55
hi @marian.vladoi can you help me in this question:- https://stackoverflow.com/questions/65073267/i-am-not-able-to-access-compute-engine-api-with-gcloud — AWS Learning, Nov 30 '20 at 12:15

GCP - Not able to list objects inside Bucket even having devstorage.read_only permission?

1 Answers1