[SOLVED] Google Cloud Document AI cannot access Firebase Storage bucket

Google Cloud Document AI cannot access Firebase Storage bucket - permission error

I'm trying to import documents from Firebase Storage into Google Cloud Document AI but I'm getting a persistent permission error even after adding the Storage Admin role to the Document AI service account.

Setup

Project: Firebase project with Blaze plan
Storage: Firebase Storage bucket with new naming format (project-id.firebasestorage.app)
Document AI: EU region processor
Files: Test images (JPG format) uploaded to Firebase Storage

When importing documents into Document AI, I get this error:

{
  "name": "projects/123456789/locations/eu/operations/11715819212458821437",
  "done": true,
  "result": "error",
  "response": {},
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.documentai.uiv1beta3.ImportDocumentsMetadata",
    "commonMetadata": {
      "state": "FAILED",
      "createTime": "2025-05-21T20:34:47.093036Z",
      "updateTime": "2025-05-21T20:34:47.093036Z",
      "resource": "projects/123456789/locations/eu/processors/processor-id/dataset"
    },
    "importConfigValidationResults": [
      {
        "inputGcsSource": "gs://my-project.firebasestorage.app/test_images/",
        "status": {
          "code": 7,
          "message": "Does not have permissions [storage.objects.get] in the bucket my-project.firebasestorage.app"
        }
      }
    ]
  },
  "error": {
    "code": 3,
    "message": "Failed to import all documents.",
    "details": []
  }
}

What I've tried

Added Storage Admin role to the Document AI service account (service-[project-number]@gcp-sa-prod-dai-core.iam.gserviceaccount.com) at the bucket level
Tested file access - the same files are accessible from other applications without issues
Verified bucket exists - bucket shows up in Google Cloud Console as my-project.firebasestorage.app

Questions

Are there known compatibility issues between Document AI and Firebase Storage buckets using the new .firebasestorage.app domain format?
Do I need to set additional Firebase-specific permissions beyond GCS permissions for Document AI to access Firebase Storage?
Should I use a different bucket path format when referencing Firebase Storage from Document AI?

Solution

I don’t think this is a compatibility issue. I tried recreating your issue and also added the Storage Admin role in the Document AI service account. It works when working with single files but I received the same error when working with a folder.

It somehow worked when I added the Storage Object User role in my user account (...@google.com) which you can change under the IAM section in the Google Cloud Console.