I have created a new service account and attached a custom role. This custom role has the storage.buckets.get permission. While using the new service account, I am still getting the following error:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/[bucket-name]?projection=noAcl&prettyPrint=false: [service-account-name]@[project-id].iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).
The python code:
storage_client = storage.Client()
bucket_name = os.getenv('BUCKET_NAME')
self.bucket = storage_client.get_bucket(bucket_name)
Roles of the service account:
ROLE
projects/[ProjectID]/roles/[CustomRole]
roles/storage.objectCreator
roles/storage.objectUser
roles/storage.objectViewer
roles/viewer
Permissions of projects/[ProjectID]/roles/[CustomRole] role:
description: [some-description]
etag: [some-etag]
includedPermissions:
- storage.buckets.get
name: projects/[ProjectID]/roles/[CustomRole]
stage: ALPHA
title: [Custom Role Title]
What could be the reason? I am making a query to get a particular bucket using this service account.
PS: I have waited 15 minutes and can confirm that the role is properly attached to the service account.