I have created a new service account and attached a custom role. This custom role has the storage.buckets.get permission. While using the new service account, I am still getting the following error:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/[bucket-name]?projection=noAcl&prettyPrint=false: [service-account-name]@[project-id].iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).
The python code:
storage_client = storage.Client()
bucket_name = os.getenv('BUCKET_NAME')
self.bucket = storage_client.get_bucket(bucket_name)
Roles of the service account:
ROLE
projects/[ProjectID]/roles/[CustomRole]
roles/storage.objectCreator
roles/storage.objectUser
roles/storage.objectViewer
roles/viewer
Permissions of projects/[ProjectID]/roles/[CustomRole] role:
description: [some-description]
etag: [some-etag]
includedPermissions:
- storage.buckets.get
name: projects/[ProjectID]/roles/[CustomRole]
stage: ALPHA
title: [Custom Role Title]
What could be the reason? I am making a query to get a particular bucket using this service account.
PS: I have waited 15 minutes and can confirm that the role is properly attached to the service account.
The bucket did not exist and the second part of the error mentions non-existence of the resource, which is the bucket in this case.