Production App on Google App Engine suddenly lost access to Google Cloud Storage

Question

Our production app (python 2.7 standard environment) running on Google App Engine suddenly lost permissions to write (create objects) on Google Cloud Storage, without any change in the code on our side.

The code is able to create new buckets, but not new objects within them.

It seems that the default app engine service account is not granted the permission. Needless to say, the service account has the Storage Object Creator role, as well as the Editor role on the project level.

Strangely, the exact same code running on the test environment project, continues to work perfectly. We are using the api client library to obtain credentials, like so:

from oauth2client.appengine import AppAssertionCredentials
from apiclient.discovery import build as discovery_build

credentials = AppAssertionCredentials(scope=scope)
http = credentials.authorize(httplib2.Http())
service = discovery_build('storage', 'v1', http=http)

And then using the service to make the api call. All calls to create objects are suddenly failing with the message: "Anonymous caller does not have storage.objects.create access to /"

Any ideas what could suddenly have gone wrong ??

Answer 1

This turned up to be an issue with Google Cloud Storage (GCS). A payed support ticket was opened, after approximately 90 hours, a rollback was made by Google GCS engineers which solved the issue, however, the root cause of the issue was not found or reported. Very troubling that a production app can be affected this way for such a long time and eventually there is no explanation.