Hi @rrotter ,
Welcome to Google Cloud Community!
Based on the error you receive, your access account still doesn’t have the storage.buckets.get permission required. You need to check if the IAM policies applied to bucket level and inherited from the project level.
To check bucket-level policy:
gcloud storage buckets get-iam-policy gs://[bucket-name] --format=json
To check project-level policy:
gcloud projects get-iam-policy [project-ID] --format=json
Another way To allow a service account to upload files only to a specific ‘folder’ (path prefix) within a bucket, grant it the roles/storage.objectCreator role combined with an IAM Condition that restricts object creation to that prefix
- Go to the Google Cloud Console → Cloud Storage → Buckets → Select your bucket.
- Click the “PERMISSIONS” tab.
- Click “+ GRANT ACCESS”.
- Enter the email address(es) of the user(s) or service account(s) you want to grant upload access to.
- Assign Role:
- Click “Select a role”.
- Filter by typing “Object Creator”.
- Select the Storage Object Creator (roles/storage.objectCreator) role.
- Add IAM Condition (Crucial Step):
-
Click “+ ADD IAM CONDITION”.
-
Give it a descriptive title
-
Select “Condition Editor".
-
Condition: Use the resource.name attribute, which represents the full object path
resource.name.startsWith("projects/_/buckets/[BUCKET NAME]/objects/[FOLDER NAME]")``
-
- Click save
- Save the role binding.
This will allow the service account to upload files in the destination object starting with the folder name. But this role does not grant storage.objects.list. You can add the roles/storage.objectViewer also with condition.
Same steps mentioned above but change the assign role to “Object Viewer”.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.