Score:0

Server

GCP deployment to create storage bucket fails on missing storage.buckets.get access

Carlos Rodriguez

11/13/22, 9:05 AM

I want to create a cloud storage bucket programatically using deployment manager, but the deployment fails with the following error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1626165906845-5c6fd413930ca-1a833b6c-81671664]: errors:
- code: RESOURCE_ERROR
  location: /deployments/example-config/resources/storage-bucket
  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"[email protected]
    does not have storage.buckets.get access to the Google Cloud Storage bucket.","reason":"forbidden"}],"message":"[email protected]
    does not have storage.buckets.get access to the Google Cloud Storage bucket.","statusMessage":"Forbidden","requestPath":"https://storage.googleapis.com/storage/v1/b/storage-bucket","httpMethod":"GET","suggestion":"Consider
    granting permissions to [email protected]"}}'

However, I have added roles/storage-admin to the account mentioned in the error, and according to Policy Troubleshooter access is granted for storage.buckets.get API call:

This is the yaml file I use:

imports:
  - path: template.jinja

resources:
  - name: template
    type: template.jinja
    properties:
      storage:
        bucket: qa-bucket-68586

and this is the jinja template:

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      kind: storage#bucket
      name: {{ properties["storage"]["bucket"] }}
      location: EU
      projectNumber: {{ env["project_number"] }}
      storageClass: STANDARD

226

1 + 7

google-cloud-storage

google-cloud-platform

google-iam

deployment-manager

Wojtek_B

11/13/22, 4:05 PM

What happened after you granted the account `storage.admin` role ? Did the error change ?

Carlos Rodriguez

11/13/22, 5:14 PM

No, the error remained the same.

John Hanley

11/13/22, 7:24 PM

Is the bucket in a different project? Is the bucket name correct?

Carlos Rodriguez

11/14/22, 7:00 AM

Yes, project is the correct one and the name of the bucket is ok.

Carlos Rodriguez

11/14/22, 7:25 AM

I added the smallest jinja and yaml files that reproduces the problem.

John Hanley

11/14/22, 7:45 AM

The key is not if the project name is correct. Which project owns the bucket?

Carlos Rodriguez

11/14/22, 10:51 AM

I want to create the bucket, so at the moment of executing the deployment no project owns the bucket. The steps go like this: I select the project using `gcloud config set project` on the terminal of my machine; I verify that the project is selected using `gcloud config get-value project`; I check that the account in this project has the `storage.admin` role; and then I run `gcloud deployment-manager deployments create example-config --config deployment.yaml`

Score:0

Server

Wojtek_B

11/14/22, 2:31 PM

Based on your question I tried to reproduce your issue but failed - which means I could create storage bucket with DM.

I used more simple approach:

resources:
- type: storage.v1.bucket
  name: tb111
  properties:
    project: proj-name
    name: tb111-1

I wasn't using any variables to pass the project name so maybe it worked.

The result was:

wb@cloudshell:~ (proj-name)$ gcloud deployment-manager deployments create deploy-test111 --config b1.yaml
The fingerprint of the deployment is b'fcW0t5_5DD75iIGyHz='
Waiting for create [operation-1626272156399-fe30b8a9-47-53bbc8c4]...done.
Create operation operation-1626272156399-fe30b8a9-47-53bbc8c4 completed successfully.
NAME   TYPE               STATE      ERRORS  INTENT
tb111  storage.v1.bucket  COMPLETED  []

I can see & access it from the console UI.

Try for the start just "hardcoding" your project name in your jinja files or use mine for start and this should work.

0 + 1

Carlos Rodriguez

11/15/22, 12:25 PM

Thanks for the suggestion, Wojtek_B. After some trial and error I found the mistake: the problem was with `name: storage-bucket`. The name of the bucket must be globally unique and `storage-bucket` was already taken. I made the silly mistake also of having the `name` property twice (first one with `storage-bucket` and a second one with `{{ properties["storage"]["bucket"] }}`). I removed the second one and gave a unique number to the bucket and then it worked. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: GCP deployment to create storage bucket fails on missing storage.buckets.get access

TH: การปรับใช้ GCP เพื่อสร้างที่เก็บข้อมูลที่เก็บข้อมูลล้มเหลวเนื่องจากขาดการเข้าถึง storage.buckets.get

RO: Implementarea GCP pentru a crea compartimentul de stocare nu reușește dacă lipsește accesul storage.buckets.get

RU: Развертывание GCP для создания сегмента хранилища завершается сбоем из-за отсутствия доступа к storage.buckets.get

VI: Triển khai GCP để tạo bộ chứa lưu trữ không thành công do thiếu quyền truy cập storage.buckets.get

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.