Google-cloud-python: Storage: Cannot get bucket despite being object admin
When trying to get bucket (to be able to manipulate blobs), I get 403 error:
$ python3 < <( echo 'from google.cloud import storage'; echo 'client = storage.Client()'; echo 'client.get_bucket("my-bucket")' )
Traceback (most recent call last):
File "<stdin>", line 3, in <module>
File "/home/account/.pyenv/versions/venv-name/lib/python3.7/site-packages/google/cloud/storage/client.py", line 278, in get_bucket
bucket.reload(client=self)
File "/home/account/.pyenv/versions/venv-name/lib/python3.7/site-packages/google/cloud/storage/_helpers.py", line 130, in reload
_target_object=self,
File "/home/account/.pyenv/versions/venv-name/lib/python3.7/site-packages/google/cloud/_http.py", line 393, in api_request
raise exceptions.from_http_response(response)
google.api_core.exceptions.Forbidden: 403 GET https://www.googleapis.com/storage/v1/b/my-bucket?projection=noAcl: [email protected] does not have storage.buckets.get access to my-bucket.
This service account has Storage Object Admin role, assigned on bucket-level. According to https://cloud.google.com/storage/docs/access-control/iam-roles it doesn't contain the storage.buckets.get, so is it not necessary to list the blobs in a bucket?
Was following https://github.com/googleapis/google-cloud-python/blob/master/storage/docs/snippets.py#L138 , trying to select objects to deletion from a bucket.
Possibly relates to #6092 . Is there a better place to ask questions like this, before deciding it's a bug that should be reported?
sbienkow
All 5 comments
Hi @sbienkow,
I believe you're encountering common issue[1].
You're correct in saying "so is it not necessary to list the blobs in a bucket?". The code method Client.get_bucket(), makes a GET request for bucket metadata which the service account you're using doesn't have permission to access.
The replacement for not performing a GET request is to use Client.bucket(). The complete example is below:
from google.cloud import storage
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
blob = bucket.blob(source_blob_name)
blob.download_to_filename(file_name)
Reference: https://stackoverflow.com/questions/51420996/are-legacy-cloud-storage-permissions-required/51452170
frankyn
on 23 Aug 2019
@sbienkow Please follow-up reopen if @frankyn's response isn't sufficient.
tseaver
on 27 Aug 2019
Hey,
Sorry wasn't checking my mail. This solved my issue - it works perfectly. I wish I've found it somewhere in the docs / snippets.
Thank you.
sbienkow
on 28 Aug 2019
Hi @frankyn what's the equivalent for the java SDK? Thank you
tropikoder
on 7 Sep 2020
Nevermind i found the answer farther down in the google results:
BlobId blobId = BlobId.of(bucketName, "my_blob_name");
Blob blob = storage.get(blobId);
Related issues
pongad
路
4Comments
jannaspam
路
3Comments
tweeter0830
路
4Comments
bmenasha
路
3Comments
ramuta
路
3Comments
Most helpful comment
Hi @sbienkow,
I believe you're encountering common issue[1].
You're correct in saying "so is it not necessary to list the blobs in a bucket?". The code method
Client.get_bucket(), makes a GET request for bucket metadata which the service account you're using doesn't have permission to access.The replacement for not performing a GET request is to use
Client.bucket(). The complete example is below:Reference: https://stackoverflow.com/questions/51420996/are-legacy-cloud-storage-permissions-required/51452170