GCP Deployment Manager: 403 does not have storage.buckets.get access

Question

I am trying to create a bucket using Deployment manager but when I want to create the deployment, I get the following error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525606425901-56b87ed1537c9-70ca4aca-72406eee]: errors:
- code: RESOURCE_ERROR
  location: /deployments/posts/resources/posts
  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"[email protected]
    does not have storage.buckets.get access to posts.","reason":"forbidden"}],"message":"[email protected]
    does not have storage.buckets.get access to posts.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/posts","httpMethod":"GET","suggestion":"Consider
    granting permissions to [email protected]"}}'

If I understand it correctly, the deployment manager uses a service account (as described in the message) to actually create all my resources. I've checked IAM and made sure that the service role ([email protected]) does have access as "Editor" and even added "Storage Admin" (which includes storage.buckets.get) to be extra sure. However, I still get the same error message.

Am I assigning the permissions to the wrong IAM user / what am I doing wrong?

---

command used:

gcloud deployment-manager deployments create posts --config posts.yml

my deployment template:

bucket.jinja

resources:
- name: {{ properties['name'] }}
  type: storage.v1.bucket
  properties:
    name: {{ properties['name'] }}
    location: europe-west1
    lifecycle:
      rule:
      - action:
          type: Delete
        condition:
          age: 30
          isLive: true
    labels:
      datatype: {{ properties['datatype'] }}
    storageClass: REGIONAL

posts.yml

imports:
  - path: bucket.jinja

resources:
- name: posts
  type: bucket.jinja
  properties:
    name: posts
    datatype: posts

Answer 1

I tested your code with success and I believe that the issue was that you were trying to create/update a bucket own by a different user belonging to a different project upon which your service account has no power.

Therefore please try to redeploy changing the name that likely is a unique one and let me know if this solves the issue. This can be an issue in some scenario because either you choose name pretty long or there is the risk that is already taken.

---

Notice that you have to change the name of the bucket since it has to be unique across all the project of all the users.

This could seem an excessive requirement, but it makes possible to create static website or to refer to file with the standard URL:

• https://storage.googleapis.com/nomebucket/folder/nomefile

From the trace error I believe that this is the issue, you are trying to create a bucket that does not exist and you do not own.

---

Notice that if you remove the permissions from the service account you do not receive the message telling you that the service account does not have any power on the bucket:

[email protected] does not have storage.buckets.get access to posts.

But instead a message pointing you that the service account has no power on the project:

Service account [email protected] is not authorized
    to take actions for project xxx. Please add [email protected]
    as an editor under project xxx using Google Developers Console

---

Notice that if you try to create a bucket you already own there is no issue.

$ gcloud deployment-manager deployments create posts22 --config posts.yml                                                                                             
The fingerprint of the deployment is xxx==
Waiting for create [operation-xxx-xxx-xxx-xxx]...done.
Create operation operation-xxx-xxx-xxx-xxx completed successfully.
NAME                  TYPE               STATE      ERRORS  INTENT
nomebuckettest4536  storage.v1.bucket  COMPLETED  []