The caller does not have permission when attempting to use Google Cloud Storage within Cloud Run

Question

I'm attempting to get a Node project setup on Google Cloud Run with Cloud Storage. I am running into an authentication issue when using a created Service Account.

When creating the service account I did successfully download the JSON token and got everything running correctly in my local development environment.

The issue is when I have the application deployed successfully to Cloud Run I get the following error: Error: The caller does not have permission

This occurs when I am attempting to get a signed URL for uploading files to a Storage Bucket.

I create the Storage client like this:

const { Storage } = require("@google-cloud/storage");
const storage = new Storage();

...and further down in my script the call is like this:

const [url] = await storage
  .bucket(bucketName)
  .file(filename)
  .getSignedUrl(options);

I have setup the the following permissions for the IAM Service Account:

• Cloud SQL Client - Maybe relevant? I have Cloud SQL successfully working on deployed environment.
• Service Account User - Needed to be used as a Service Account?
• Storage Object Creator - I only need the ability to create signed upload urls from this project.

I have also assigned the mentioned service account to the Cloud Run instance via the console.

Just to confirm, the application runs 100% correctly locally using the Service Account JSON Key, it's just not working when running in the Google Cloud.

Answer 1

I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run getSignedUrl. Locally for some reason this role is not required.

To add this role, go to IAM & Admin section in the Google Cloud Console, edit the "App Engine default service account" and add the "Service Account Token Creator" role. Click Save and that should be it.