0

I am trying to give the Google CDN service account access to my bucket as said here: https://cloud.google.com/cdn/docs/using-signed-urls

gsutil iam ch serviceAccount:service-{PROJECT_NUMBER}@cloud-cdn-fill.iam.gserviceaccount.com:objectViewer gs://{BUCKET}

But the response is: BadRequestException: 400 Invalid argument

Adding it via the cloud console is also impossible, it says "Email addresses and domains must be associated with an active Google Account or Google Apps account."

Am I missing something or is this a bug?

hpohl
  • 315
  • 2
  • 11

1 Answers1

1

The Cloud CDN cache fill service account is created when you enable signed URLs. The error message suggests there's a problem with the project number or you haven't yet enabled signed URLs for that project. You can enable signed URLs by following the instructions at https://cloud.google.com/cdn/docs/using-signed-urls#creatingkeys. Make sure you enable signed URLs for a backend service or backend bucket in the same project you specify in the gsutil command.

elving
  • 1,441
  • 8
  • 7
  • I thought I already created a signed URL key but apparently I missed the last of the three "save" buttons I have to press in a row. Still, my bad. Maybe some clarification about the service account in the docs would help. – hpohl Aug 23 '18 at 08:23
  • 1
    I get the message "No changes made to gs://[bucket]. And I still get the alert of no permissions given. If I go to IAM i find no service with name cloud-cdn-fill.iam. Do I have to create it manually? – htafoya Sep 14 '18 at 09:05
  • htafoya, "No changes made" suggests you've already given the account access. You shouldn't see the account listed in IAM because it is Cloud CDN's account, not yours. Where do you see a no permissions given alert, and what exactly does the alert say? – elving Sep 15 '18 at 00:06