Nodejs-storage: The caller does not have permission when attempting to use Google Cloud Storage within Cloud Run

Created on 20 Jun 2020  路  6Comments  路  Source: googleapis/nodejs-storage

I'm attempting to get a Node project setup on Google Cloud Run with Cloud Storage. I am running into an authentication issue when using a created Service Account.

When creating the service account I did successfully download the JSON token and got everything running correctly in my local development environment.

The issue is when I have the application deployed successfully to Cloud Run I get the following error:

Error: The caller does not have permission

This occurs when I am attempting to get a signed URL for uploading files to a Storage Bucket.

I create the Storage client like this:

const { Storage } = require("@google-cloud/storage");
const storage = new Storage();

...and further down in my script the call is like this:

const [url] = await storage
  .bucket(bucketName)
  .file(filename)
  .getSignedUrl(options);

I have setup the the following permissions for the IAM Service Account:

  • Cloud SQL Client - Maybe relevant? I have Cloud SQL successfully working on deployed environment.
  • Service Account User - Needed to be used as a Service Account?
  • Storage Object Creator - I only need the ability to create signed upload urls from this project.
  • I have also assigned the mentioned service account to the Cloud Run instance via the console.

Just to confirm, the application runs 100% correctly locally using the Service Account JSON Key, it's just not working when running in the Google Cloud.

storage question

Most helpful comment

I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run getSignedUrl. Locally for some reason this role is not required.

I'm not sure if this mismatch needs further investigation?

All 6 comments

I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run getSignedUrl. Locally for some reason this role is not required.

I'm not sure if this mismatch needs further investigation?

From https://cloud.google.com/iam/docs/service-accounts#token-creator-role:

The Service Account Token Creator role
This role enables impersonation of service accounts to create OAuth2 access tokens, sign blobs, or sign JWTs.

We use signBlob to create signatures for signed URLs, so this role would be required.

Your local credentials (service account or application default credentials) might include wide roles that covers this permission so that could explain the difference.

Which user did you add these permissions to?

Closing due to inactivity. Please re-open if this is still an issue

Which user did you add these permissions to?

In my case

[project_number]@cloudbuild.gserviceaccount.com
[project_number]@cloudservices.gserviceaccount.com

Which user did you add these permissions to?

In general it needs to be added to the Service Account the Cloud Run Service/Revision is running under.
By default it is the Default compute service account

Was this page helpful?
0 / 5 - 0 ratings