Google Cloud Service Account cannot be used due to `serviceusage.serviceUsageConsumer` error

Question

I have an app for programmatically uploading and downloading from GCS buckets which has worked for me in the past, but with a new account is getting a permissions error. For the new account, I've created a service account (skyplane-manual) and given the service account Storage Admin and Storage Object Admin permissions and when I run gcloud projects get-iam-policy <PROJECT> I get the output below:

- members:
  - serviceAccount:skyplane-manual@<PROJECT>.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:skyplane-manual@<PROJECT>.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageConsumer
- members:
  - serviceAccount:skyplane-manual@<PROJECT>.iam.gserviceaccount.com
  role: roles/storage.admin

I download the service account keys JSON locally. However, when I try to access the storage account with this line:

google.cloud.storage.Client.from_service_account_json(self.service_account_credentials)

I get the following error:

https://iam.googleapis.com/v1/projects/<PROJECT_ID>/serviceAccounts?alt=jsonreturned "Caller does not have required permission to use project <PROJECT_ID>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<PROJECT_ID> and then retry. Propagation of the new permission may take a few minutes." Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': 2023-05-03T20:28:25.312929717Z [{'description': 'Google developer console IAM admin', 'url': 'https://console.developers.google.com/iam-admin/iam/project?project=<PROJECT_ID>'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 
2023-05-03T20:28:25.312934368Z 'USER_PROJECT_DENIED', 'domain': 'googleapis.com', 'metadata': {'consumer': 2023-05-03T20:28:25.312935828Z 'projects/<PROJECT_ID>', 'service': 'iam.googleapis.com'}}]">

I'm having trouble debugging this issue - does the "Caller" refer to the primary GCP account (so what account needs the serviceusage.serviceUsageConsumer role)? Why can't I access the object store via the service credentials if I have the service keys JSON? And I also cannot find an equivalent permission to serviceusage.serviceUsageConsumer in the GCP console.

Include more of your code. The caller is the service account. The service account needs `serviceusage.serviceUsageConsumer`. See my [answer](https://stackoverflow.com/a/56050811/8016720) for the permissions. — John Hanley, May 08 '23 at 17:31
I don't think this is the issue, or it may be the service account isnt the caller. I tried listing the accounts in each role with `gcloud projects get-iam-policy ` and updated the question with the output. — swooders, May 08 '23 at 22:47
To confirm if your service account is activated please do run this command 'gcloud auth list'. — DominicT, May 12 '23 at 22:26
You need the permissions on the project you configure for API billing. Notice the error `USER_PROJECT_DENIED`. The service account needs permissions for the correct Project ID. — John Hanley, May 12 '23 at 22:43

Google Cloud Service Account cannot be used due to `serviceusage.serviceUsageConsumer` error

0 Answers0