Google cloud storage gives "insufficient permissions"
I am using this endpoint :
get_media(bucket=*, object=*, ifGenerationNotMatch=None, generation=None, ifMetagenerationMatch=None, ifGenerationMatch=None, ifMetagenerationNotMatch=None, projection=None)
which gives me the error:
apiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/storage/v1/b/my-logs/o/clickstream.1413365729497.log?alt=json returned "Insufficient Permission">
Code:
service = build('storage', 'v1')
contents = service.objects().get(bucket=item['bucket'], object=item['name']).execute(http=http)
item
is the previous (successful) call buckets.list
. This is why the permission error for the service account is so strange.
This is currently on my localhost and my authentication is:
with open(FILE_KEY, 'rb') as f:
key = f.read()
credentials = SignedJwtAssertionCredentials(
SERVICE_EMAIL_ADDRESS,
key,
scope='https://www.googleapis.com/auth/devstorage.full_control',
)
http = httplib2.Http()
http = credentials.authorize(http)
Objects (and new test objects that I loaded afterwards) are created with the default acl permissions. Why doesn't this work for the service account to get the contents of the file?
source to share
Two things that might get in the way here:
- Enumerating objects into a bucket requires READ permission on the bucket, whereas getting an object, even for its metadata, requires READ permission on the object. Perhaps your service account has the first permission and not the second.
- The default service accounts are not part of the Owner, Editor, or Viewer groups, so they do not appear in either the default ACL, the default, or the default ACL.
Does your slave ACL have a service account? An object? Is the service account listed in the object's default ACL, so new objects that do not otherwise override this ACL allow the service account to read it?
See also Access Control .
source to share