Can't use service account IAM roles?

[kevhill]

I'm going to guess this is some form of stupid user error, but I can't find any more info in the docs, so I am asking here. I can't seem to access any project resources with a service account, even though I have the correct IAMs

Below is a ipython interactive session, but same results with the app i'm building

In [1]: from google.cloud import storage

In [2]: client = storage.Client()

In [3]: [b.name for b in client.list_buckets()]
---------------------------------------------------------------------------
Forbidden                                 Traceback (most recent call last)
<ipython-input-3-3932e1359e2b> in <module>()
----> 1 [b.name for b in client.list_buckets()]

<ipython-input-3-3932e1359e2b> in <listcomp>(.0)
----> 1 [b.name for b in client.list_buckets()]

/usr/local/lib/python3.6/site-packages/google/cloud/iterator.py in _items_iter(self)
    216     def _items_iter(self):
    217         """Iterator for each item returned."""
--> 218         for page in self._page_iter(increment=False):
    219             for item in page:
    220                 self.num_results += 1

/usr/local/lib/python3.6/site-packages/google/cloud/iterator.py in _page_iter(self, increment)
    245         Yields :class:`Page` instances.
    246         """
--> 247         page = self._next_page()
    248         while page is not None:
    249             self.page_number += 1

/usr/local/lib/python3.6/site-packages/google/cloud/iterator.py in _next_page(self)
    345         """
    346         if self._has_next_page():
--> 347             response = self._get_next_page_response()
    348             items = response.get(self._items_key, ())
    349             page = Page(self, items, self._item_to_value)

/usr/local/lib/python3.6/site-packages/google/cloud/iterator.py in _get_next_page_response(self)
    394                 method=self._HTTP_METHOD,
    395                 path=self.path,
--> 396                 query_params=params)
    397         elif self._HTTP_METHOD == 'POST':
    398             return self.client._connection.api_request(

/usr/local/lib/python3.6/site-packages/google/cloud/_http.py in api_request(self, method, path, query_params, data, content_type, headers, api_base_url, api_version, expect_json, _target_object)
    301         if not 200 <= response.status < 300:
    302             raise make_exception(response, content,
--> 303                                  error_info=method + ' ' + url)
    304
    305         string_or_bytes = (six.binary_type, six.text_type)

Forbidden: 403 Caller does not have storage.buckets.list access to project [ELIDED]. (GET https://www.googleapis.com/storage/v1/b?project=[ELIDED]&projection=noAcl)

In [4]: creds = client._credentials

In [5]: creds.valid
Out[5]: True

In [6]: creds.service_account_email
Out[6]: 'image-stash@[ELIDED].iam.gserviceaccount.com'

In [7]: client.project
Out[7]: '[ELIDED]'

So I've got valid credentials on my service account... and the account is an owner of the project. (I had the app scoped appropriately, but escalated when I hit this error)

any idea why these credentials wouldn't be accepted?

[theacodes]

(I removed a screenshot because it exposed your project details)

[kevhill]

should project names and ID numbers really be kept secure? seems like they should be safe for public consumption by design.

[theacodes]

@kevhill a few questions:

1. Are these service account credentials? (a private key .json file)?
2. Where is your app running?
3. What's the output of running this script?

should project names and ID numbers really be kept secure? seems like they should be safe for public consumption by design.

We'd prefer not to expose them on our issue tracker, but yeah, the project id is indeed visible in your app engine url.

[kevhill]

thanks for the quick reply

1. yes
2. locally
3. I had to enable the IAM API, but then got back {'error': {'code': 403, 'message': 'The caller does not have permission', 'status': 'PERMISSION_DENIED'}}

Also in the name of sanity checking I created a brand new service account and tried the whole flow again, and it worked fine. So, it seems like somehow that account got screwed up in a way not reflected by the roles. So, immediate problem fixed, if larger questions still left unanswered. But, it is probably something outside the scope of this library.

[kevhill]

ah, and then I ran a modified version of your script but used the creds that are now working, but looked up the image-stash account details and got back {'etag': 'BwVLQTPR32w=', 'bindings': [{'role': 'roles/iam.serviceAccountActor', 'members': ['serviceAccount:image-stash@[ELIDED].iam.gserviceaccount.com']}]}

[kevhill]

ok, even weirder, deleting that service account entirely and making a new one with the SAME NAME doesn't work... wtf.

Closing this issue, thanks for the help.

[theacodes]

@kevhill: no worries, it was probably just a delay in permission propagation. :)