0

Trying to add object control access on deployment-manager:

- type: storage.v1.objectAccessControl
  name: url-access
  properties:
    role: READER
    bucket: "bucket"
    object: "object"
    entity: "email"

And I'm getting this error:

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1574856490078-59852d9a9d256-4d665591-d57c3ea1]: errors:
- code: RESOURCE_ERROR
  location: /deployments/.../resources/user-access
  message: '{
    "ResourceType": "storage.v1.objectAccessControl",
    "ResourceErrorCode": "403",
    "ResourceErrorMessage": {
        "code": 403,
        "errors": [
            {
                "domain": "global",
                "message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
                "reason": "forbidden"
            }
        ],
        "message": "MANAGED_SA@cloudservices.gserviceaccount.com does not have storage.objects.get access to bucket/file.",
        "statusMessage": "Forbidden",
        "requestPath": "https://www.googleapis.com/storage/v1/b/bucket/o/file/acl",
        "httpMethod": "POST",
        "suggestion": "Consider granting permissions to MANAGED_SA@cloudservices.gserviceaccount.com"
    }
}'

Weird fact: the MANAGED-SA per default has Editor access on project. Even put Owner Access, I still got this message

Ramon Medeiros
  • 2,272
  • 2
  • 24
  • 41
  • having same issue but the service account in my case created randomly so I cannot give permission because with next trigger another random account is being created. Any idea? – celcin Sep 09 '22 at 11:47

1 Answers1

1

Just add the role for service account `MANAGED_SA@cloudservices.gserviceaccount.com: "Storage Object Admin". Viewer was not enough

Wojtek_B
  • 4,245
  • 1
  • 7
  • 21
Ramon Medeiros
  • 2,272
  • 2
  • 24
  • 41