Google Cloud API Service authorisation failure - forbidden access

Question

I am currently receiving the following error when attempting to access the google cloud service via a java client:

Caused by: 
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 
Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "xyz.iam.gserviceaccount.com does not have 
    storage.buckets.list access to project 123456.",
    "reason" : "forbidden"
  } ],
  "message" : "xyz.iam.gserviceaccount.com does not have 
storage.buckets.list access to project 123456."
}

So far I have:

• Installed and authorised the sdk with the login details of the google cloud account
• Added the GOOGLE_APPLICATION_CREDENTIALS of the service account xyz to my environment variable with the path to the json key
• Given the service account (xyz) permissions for the given project (123456)
• Enabled permissions to the Storage API and the Speech API (the intended target in the future)

How do I provide access to a service account for a given list or api for a given project?

Answer 1

The message is very specific and doesn't leave much room for doubt, but if there is an issue please share the roles currently assigned to your service account:

"xyz.iam.gserviceaccount.com does not have storage.buckets.list access to project 123456."

It could be that the role you have assigned to your service account in https://console.cloud.google.com/iam-admin/iam/project doesn't have the storage.buckets.list access.

In order to see if the specific role has the storage.buckets.list access, search for that access in https://console.cloud.google.com/iam-admin/roles. This will output list of roles that have this access and you can see if you service account has one of the or not.

Answer 2

You need to provide the Service Account with "Storage Admin" access. This can be found in https://console.cloud.google.com/iam-admin/iam?project={your-project}

Click the pencil under "Inheritance" to edit the permissions.

Answer 3

It could also be that you set a project that does not exist. For example by running the following on the gcloud cli gcloud config set project personal, whereas the actual ID of the project is personal-267000 as below

gcloud projects list | grep personal personal-267000 personal 203784673875

So, once you set it up correctly, gcloud config set project personal-267000, your commands should work nicely. The easiest way to test is by triggering the following cli command gsutil ls. Don't forget to make sure that you're using the account you want as well : gcloud config configurations list