Reputation: 8865
When attempting to create a Data Store for GCP's "Search & Conversaion", storage.objects.get permission is missing
For Google Cloud Platform's Search & Conversation, I am trying to create a "Data Store" using Google Cloud Storage (GCS) as the source. Step 1 is to choose the source (GCS in this case), and Step 2 is to point to the actual GCS bucket/path. After selecting the GCS bucket/path, I get the following permission error.
Missing required permissions: storage.objects.get
I have no idea which Service Account is missing the permission. However, I took a guess and thought it was the either the "compute" or "aiplatform" accounts (see the name patterns of the accounts below).
- [numbers][email protected] (Compute Engine default service account)
- service-[numbers]@gcp-sa-aiplatform.iam.gserviceaccount.com (AI Platform Service Agent)
Using IAM & Admin, to these accounts, I added the following Roles.
- Storage Admin
- Storage Folder Admin
- Storage Object Admin
- Storage Object Creator
- Storage Object User
- Storage Object Viewer
However, this does not help make the permission error go away. To the actual bucket and "folder" inside the bucket, I also checked, verified and modified the permissions (eg Grant Access) for the two service accounts above. These changes also do not make the error go away.
Any ideas which service account is being used to define a Data Source for Search & Conversation. I have followed the following tutorials to no success on my own data.
For the second link above, when I point to the Kaggle Movies dataset on GCS, it actually works (eg. gs://cloud-samples-data/gen-app-builder/search/kaggle_movies).
Any ideas on what I am doing wrong?
Upvotes: 2
Views: 1310
Answers (5)
Reputation: 1
grant the "Editor" Permission to all service accounts, that should solve the problem.
Upvotes: 0
Reputation: 37
I tried the same steps as you did, granting Storage Admin role to multiple Service Accounts that could be related to Search and Conversation but nothing worked out.
However, I decided to try to change from Fine Grained object control access to Uniform access to all objects in the bucket. After changing this config of my bucket the permission error disappeared.
Feel free to try and let me know if this also worked for you.
Upvotes: 1
Reputation: 121
I added to my user the "Storage Object Viewer" Role, and it solved the problem.
More info here: https://cloud.google.com/generative-ai-app-builder/docs/access-control
Upvotes: 0
Reputation: 11
I had the same issue. I found adding the storage.object.admin permission to both my user role i.e. [email protected] and to the compute service account: [numbers][email protected] resolved the issue.
Upvotes: 1
Reputation: 1377
I have replicated your steps it seems working fine form me with this Roles:
But the roles was assigned to my user.
Data store creation:
Upvotes: 0
Related Questions
- GCP Cloud Function gets 403 when calling get_bucket for GCS
- Authorize Google Cloud Platform Service Account to Access Only One Google Cloud Storage Bucket
- service account does not have storage.objects.get access for Google Cloud Storage
- Google Cloud Storage Bucket can't transfer data in
- Restrict Storage Admins from specific GCS bucket
- Download object from GCP's Storage using NodeJS
- Google Cloud Bucket with permission for just my user
- GCloud gcsfuse permission denied
- Google Cloud Platform permission question (pub/sub -> Dataflow -> Google Cloud Storage bucket)