service account does not have storage.objects.get access for Google Cloud Storage

Question

I have created a service account in Google Cloud Console and selected role Storage / Storage Admin (i.e. full control of GCS resources).

gcloud projects get-iam-policy my_project seems to indicate that the role was actually selected:

- members:   - serviceAccount:my_sa@my_project.iam.gserviceaccount.com   role: roles/storage.admin - members:   - serviceAccount:my_sa@my_project.iam.gserviceaccount.com   role: roles/storage.objectAdmin - members:   - serviceAccount:my_sa@my_project.iam.gserviceaccount.com   role: roles/storage.objectCreator 

And documentation clearly indicates that role roles/storage.admin comprises permissions storage.objects.* (as well as storage.buckets.*).

But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:

my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.

So why would the selected role not be sufficient in this context?

Answer 1

The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.

These steps resolved the issue:

• removed all (three) roles for the offending service account (member) my_sa under IAM & Admin / IAM
• deleted my_sa under IAM & Admin / Service accounts
• recreated my_sa (again with role Storage / Storage Admin)

Effects are like this:

• my_sa shows up with one role (Storage Admin) under IAM & Admin / IAM
• my_sa shows up as member under Storage / Browser / my_bucket / Edit bucket permissions

Answer 2

It's worth to note, that you need to wait a minute or something for permissions to be working in case you just assigned them. At least that's what happened to me after:

gcloud projects add-iam-policy-binding xxx --member "serviceAccount:[email protected]" --role "roles/storage.objectViewer"