I am facing an AccessDeniedException (403 Access Denied) when trying to delete a file from a Google Cloud Storage bucket. I have assigned the necessary permissions and roles (Storage Admin), but I still can't remove the object.
Steps taken:
IAM Permissions:
The service account has been granted the roles/storage.objectAdmin role on the bucket. My account has both Editor and Storage Admin roles in the project.
Bucket Policy Only:
I checked the bucket's settings and found that Bucket Policy Only is enabled. The Bucket Policy Only feature is locked until a specific future date.
Attempts to Remove the Object:
I attempted to remove a file from the bucket using the gsutil rm command. I received the error: AccessDeniedException: 403 Access denied.
Verification:
I have verified that no retention policy is set, and there is no object lock. I tried disabling Bucket Policy Only using the gcloud command but encountered errors because the option to disable was not recognized.
Current IAM Policy for the Bucket:
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyBucketOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyBucketReader
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyObjectOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyObjectReader
- members:
- serviceAccount:service-account-id
role: roles/storage.objectAdmin
What I have tried:
Adding the storage.objectAdmin role to the service account.
Disabling Bucket Policy Only using the gcloud command, but it does not recognize the option.
Checking the bucket's permissions and object lock status.
Error Message:
gsutil rm gs://bucket-name/file-name
Removing gs://bucket-name/file-name...
AccessDeniedException: 403 Access denied.
I am facing an AccessDeniedException (403 Access Denied) when trying to delete a file from a Google Cloud Storage bucket. I have assigned the necessary permissions and roles (Storage Admin), but I still can't remove the object.
Steps taken:
IAM Permissions:
The service account has been granted the roles/storage.objectAdmin role on the bucket. My account has both Editor and Storage Admin roles in the project.
Bucket Policy Only:
I checked the bucket's settings and found that Bucket Policy Only is enabled. The Bucket Policy Only feature is locked until a specific future date.
Attempts to Remove the Object:
I attempted to remove a file from the bucket using the gsutil rm command. I received the error: AccessDeniedException: 403 Access denied.
Verification:
I have verified that no retention policy is set, and there is no object lock. I tried disabling Bucket Policy Only using the gcloud command but encountered errors because the option to disable was not recognized.
Current IAM Policy for the Bucket:
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyBucketOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyBucketReader
- members:
- projectEditor:project-id
- projectOwner:project-id
role: roles/storage.legacyObjectOwner
- members:
- projectViewer:project-id
role: roles/storage.legacyObjectReader
- members:
- serviceAccount:service-account-id
role: roles/storage.objectAdmin
What I have tried:
Adding the storage.objectAdmin role to the service account.
Disabling Bucket Policy Only using the gcloud command, but it does not recognize the option.
Checking the bucket's permissions and object lock status.
Error Message:
gsutil rm gs://bucket-name/file-name
Removing gs://bucket-name/file-name...
AccessDeniedException: 403 Access denied.
- Disabling Bucket Policy Only using the gcloud command, but it does not recognize the option. What do you mean with "it does not recognize the option"? What option? could you share the output? Also, what is the account executing the gsutil rm command? – MrThompson Commented Nov 16, 2024 at 21:44
1 Answer
Reset to default 0As you did not mention it in your post: maybe you just fot to activate the service account?
gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE
also, make sure that you have correct permissions to impersonate the SA you want to use.