Score:1

Server

Service account does not have storage.buckets.get access to the Google Cloud Storage bucket

Markus Tenghamn

12/4/22, 2:28 PM

I am running Ansible with a service the following configuration which should create a storage bucket on Google Cloud.

- name: "Create {{ environ.name }}-cluster-backups"
  google.cloud.gcp_storage_bucket:
    name: "zeipt-io-{{ environ.name }}-cluster-backups"
    location: "{{ google_cloud.region }}"
    storage_class: "NEARLINE"
    lifecycle:
      rule:
        - condition:
            age_days: 28
          action:
            type: "Delete"
    project: "{{ google_cloud.project }}"
    auth_kind: "{{ google_cloud.auth_kind }}"
    service_account_file: "{{ google_cloud.service_account_file }}"
    state: present

Which gives the error

fatal: [localhost]: FAILED! => {"changed": false, "msg": "GCP returned error: {'error': {'code': 403, 'message': '[email protected] does not have storage.buckets.get access to the Google Cloud Storage bucket.', 'errors': [{'message': '[email protected] does not have storage.buckets.get access to the Google Cloud Storage bucket.', 'domain': 'global', 'reason': 'forbidden'}]}}"}

I understand the error but I have checked the roles assigned to this user like so

gcloud projects get-iam-policy staging-environment --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:[email protected]"
ROLE
roles/owner
roles/storage.admin
roles/storage.objectAdmin
roles/storage.objectCreator
roles/storage.objectViewer

roles/storage.admin should satisfy the requirement as I checked the Google Cloud IAM Roles page which states that this role has the storage.buckets.* permission.

I do not understand why I still get the same error?

437

0 + 11

google-cloud-storage

google-cloud-platform

John Hanley

12/4/22, 5:42 PM

Where (desktop, Compute Engine, ...) are you running ansible? If on a compute service, check the scopes enabled for the VM. https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam

Markus Tenghamn

12/4/22, 5:45 PM

@JohnHanley I am running it locally on my mac. I am able to create networks, clusters and much more but not buckets.

John Hanley

12/4/22, 5:48 PM

In your command **gcloud projects get-iam-policy** add the command line option **--project PROJECT_ID**. Specify the same project that you are using with Ansible. Maybe you added the correct roles for the wrong project.

Markus Tenghamn

12/4/22, 5:55 PM

Adding `--project PROJECT_ID` and replacing the name of the same project I have configured in ansible shows the same output. I am starting to think the roles are cached somehow.

John Hanley

12/4/22, 5:59 PM

The roles are not cached locally. In Google Cloud, they are globally distributed. Create a new service account and try again. Something simple is being overlooked.

John Hanley

12/4/22, 6:04 PM

Is the bucket in the same project? Misspelled bucket name?

Priyashree Bhadra

12/19/22, 3:42 PM

Is your issue resolved @MarkusTenghamn?

Markus Tenghamn

12/19/22, 10:10 PM

@PriyashreeBhadra no I never solved this issue. I had to do this manually because I am not able to use a service account still.

Markus Tenghamn

12/19/22, 10:11 PM

@JohnHanley Sorry for not replying to you, I am trying to create a bucket so it should not be an issue but I have double check that the service account is in the right project and it's also the project I am running ansible for.

Priyashree Bhadra

12/20/22, 2:05 PM

Can you check if the bucket name you are trying to create already exists? You can check that in Google Cloud Console > Cloud Storage and enter the bucket name. If it shows an error then I believe that the issue was that you were trying to create/update a bucket owned by a different user belonging to a different project upon which your service account has no power.Therefore please try to redeploy changing the name that likely is a unique one.

Priyashree Bhadra

12/20/22, 2:06 PM

This can be an issue in some scenario because either you choose a very long name or it is not unique. Follow these [guidelines](https://cloud.google.com/storage/docs/naming-buckets) if this is the issue.

Score:0

Server

Ismael Clemente Aguirre

3/4/23, 9:32 PM

I understand that some members of the community have offered you some solutions in order to resolve your issue, but apparently none of them has been useful for your issue. Also, I understand that you're using GCP to create the service account and assign the roles.

Maybe you can try to create the service account and the roles for the service account from ansible, and check if that works.

You can create the service account using this plugin google.cloud.gcp_iam_service_account – Creates a GCP ServiceAccount

Example:

- name: create a service account
  google.cloud.gcp_iam_service_account:
    name: sa-{{ resource_name.split("-")[-1] }}@graphite-playground.google.com.iam.gserviceaccount.com
    display_name: My Ansible test key
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

And you can assign the roles using the plugin google.cloud.gcp_iam_role – Creates a GCP Role

Example:

- name: create a role
  google.cloud.gcp_iam_role:
    name: myCustomRole2
    title: My Custom Role
    description: My custom role description
    included_permissions:
    - iam.roles.list
    - iam.roles.create
    - iam.roles.delete
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Remember that these plugins are part of the google.cloud collection, which should be installed if you're using ansible package.

0 + 0

Anton L

6/1/23, 1:11 PM

@Markus Tengham did this answer help you?, if it is this way could you please upvote it or mark it as accepted to help the community? Thanks.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Service account does not have storage.buckets.get access to the Google Cloud Storage bucket

TH: บัญชีบริการไม่มี storage.buckets.get เข้าถึงที่ฝากข้อมูล Google Cloud Storage

RO: Contul de serviciu nu are acces storage.buckets.get la compartimentul Google Cloud Storage

RU: Сервисный аккаунт не имеет доступа storage.buckets.get к корзине Google Cloud Storage.

VI: Tài khoản dịch vụ không có storage.buckets.get quyền truy cập vào bộ chứa Google Cloud Storage

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.