My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket

Question

I am using Ubuntu in a VM on Google cloud. I have a .sh script which backs up files to a bucket. When I attempt to run the script, it throws me an error:

AccessDeniedException: 403 [email protected] does not have storage.objects.list access to the Google Cloud Storage bucket.

I gave the service account admin permissions for storage. The account is activated and everything. How do I fix this?

question from:https://stackoverflow.com/questions/65923120/my-service-account-which-was-given-storage-permissions-does-not-have-storage-obj

Answer 1

Since you are executing the script from the Ubuntu VM and Ubuntu VM usually have the access scope to read only. This might be blocking to upload backup file to GCS bucket.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.

Also using the gcloud command you can change the access scope.

gcloud compute instances set-service-account [INSTANCE_NAME] 
   [--service-account [SERVICE_ACCOUNT_EMAIL] | --no-service-account] 
   [--no-scopes | --scopes [SCOPES,...]]

Once your instance turned off you can set the access scope for Storage to Full and I think it will work for you as you have assigned Storage Admin roles to Service Account.