StorageException: server@<project>.iam.gserviceaccount.com does not have storage.buckets.create access to project <project-id>

Question

During the startup of my server I am getting the following error:

StorageException: server@<project>.iam.gserviceaccount.com does not have storage.buckets.create access to project <project-id>.

From here the docs I understand that adding Storage Object Creator the the roles of my service account should be sufficient to get the storage.buckets.create permissions.

However, the exception above tells my I am missing something.

Answer 1

The Object Creator role is for creating Storage objects not buckets. To administrate buckets you need the Storage Admin role.

To create that Service Account from the Cloud Shell:

gcloud iam service-accounts create buckets-sa \
    --description "Storage admin Service account" \
    --display-name "buckets-sa"
# Main role to create Buckets in Google Storage
gcloud projects add-iam-policy-binding [PROJECT] \
  --member serviceAccount:buckets-sa@[PROJECT].iam.gserviceaccount.com \
  --role roles/storage.admin
# Role for testing: Service Account Token Creator
gcloud projects add-iam-policy-binding [PROJECT] \
  --member serviceAccount:buckets-sa@[PROJECT].iam.gserviceaccount.com \
  --role roles/iam.serviceAccountTokenCreator
# Create Key
gcloud iam service-accounts keys create key-file.json \
 --iam-account buckets-sa@[PROJECT].iam.gserviceaccount.com 
# Test: Impersonate service account 
gcloud auth activate-service-account buckets-sa@[PROJECT].iam.gserviceaccount.com --key-file=key-file.json
gsutil -i "buckets-sa@[PROJECT].iam.gserviceaccount.com" mb gs://new-bucket
# To restore your account in Cloud Shell uncomment execute the following line.
# gcloud auth login