I am trying to get a Google Cloud Functions to print something from a file in a storage bucket.
I have the file stored in a bucket, an authenticated service account with
Cloud Run Admin,
Service Account User and
Cloud Functions Admin and the following python script.
def from_storage(event, context): import json from google.cloud import storage client = storage.Client(project='my-project') try: bucket = client.get_bucket('my-storage') except Exception as e: print('Bucket not found.') print(e) try: blob = bucket.blob('Hello_World.json') data = json.load(blob.download_as_string()) return data except Exception as e: print('Error loading file:') print(e)
I try to deploy this with the following code:
gcloud functions deploy from_storage --runtime python39 --triger-http --allow-unauthenticated
To which I get an error that the deploying service account (which seems to be an automatically created service account), does not have
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: could not resolve storage source: googleapi: Error 403: firstname.lastname@example.org does not have storage.objects.get access to the Google Cloud Storage object., forbidden
I find this rather strange, as I do not see this service account in my IAM, nor can I access its permissions in Cloud Functions. Any help would be greatly appreciated!
I would guess that the
email@example.com – is a Cloud Build service account, where the prefix (number) is the number of the project, where that Cloud Build is running. Can you check that the Cloud Build API is enabled, please? and the Cloud Build service account has relevant permissions, please?
During the runtime, by default, the cloud function is running under
PROJECT_ID@appspot.gserviceaccount.com service account, where the
PROJECT_ID is the ID of the project, where that cloud function is deployed (and should run). This is an App Engine default service account.
It is possible (and recommended) to create a dedicated service accounts according to the principle of least privilege. In that case you might deploy the cloud function with correspondent arguments (not in your example).
From the best of my understanding of your particular example, the default App Engine service account is going to be used.
In either case, the cloud function runtime service account should have relevant privileges (IAM permissions/roles) to work with APIs and resources (in any projects).
Can you check that the cloud function runtime service account has a relevant permissions for accessing the cloud storage bucket, please? Bear in mind that the cloud function might be deployed into one project, and the bucket might be in another project.
In your post you mentioned that you have a “an authenticated service account with” some permissions. What is that service account for, if you deploy your service account with the default App Engine Account? Probably I missed something. “In order to deploy a function with a non-default service account, the deployer must have the
iam.serviceAccounts.actAs permission on the service account being deployed.” – from Permissions required to use non-default identities If that is your case – can you check it as well, please?