Reputation: 23
AccessDeniedException when trying to delete a file from Google Cloud Storage despite having Storage Admin role
I am facing an AccessDeniedException (403 Access Denied) when trying to delete a file from a Google Cloud Storage bucket. I have assigned the necessary permissions and roles (Storage Admin), but I still can't remove the object.
Steps taken:
IAM Permissions:
The service account has been granted the roles/storage.objectAdmin role on the bucket. My account has both Editor and Storage Admin roles in the project.
Bucket Policy Only:
I checked the bucket's settings and found that Bucket Policy Only is enabled. The Bucket Policy Only feature is locked until a specific future date.
Attempts to Remove the Object:
I attempted to remove a file from the bucket using the gsutil rm command. I received the error: AccessDeniedException: 403 Access denied.
Verification:
I have verified that no retention policy is set, and there is no object lock. I tried disabling Bucket Policy Only using the gcloud command but encountered errors because the option to disable was not recognized.
Current IAM Policy for the Bucket:
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyBucketOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyBucketReader
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyObjectOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyObjectReader
- members:
- serviceAccount:service-account-id
role: roles/storage.objectAdmin
What I have tried:
Adding the storage.objectAdmin role to the service account.
Disabling Bucket Policy Only using the gcloud command, but it does not recognize the option.
Checking the bucket's permissions and object lock status.
Error Message:
gsutil rm gs://bucket-name/file-name
Removing gs://bucket-name/file-name...
AccessDeniedException: 403 Access denied.
Upvotes: 0
Views: 50
Answers (1)
Reputation: 51
As you did not mention it in your post: maybe you just forgot to activate the service account?
gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE
also, make sure that you have correct permissions to impersonate the SA you want to use.
Upvotes: 0
Related Questions
- How do I list the roles associated with a gcp service account?
- Forbidden Error with Google Cloud Storage When Using Tokens from Workload Identity Federation with Descope
- Authorize Google Cloud Platform Service Account to Access Only One Google Cloud Storage Bucket
- gcloud confusion around add-iam-policy-binding
- How can we copy big folder from google cloud storage to compute engine (windows server 2019) hosted on google cloud platform using gsutil command?
- AccessDeniedException: 403 does not have storage.buckets.get access to the Google Cloud Storage bucket