Service account not having storage account create ...

Pmiddleton · 01-25-2023 06:38 AM

Trying to connect glossary in phrase and using service account key from google for our trained MT engines.

Receiving the error that the service account 'does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).", "domain": "global", "reason": "forbidden" } ] } }'

But we have granted this account the following access in google console already:

Cloud translation API editor

Storage object viewer

and previously:

Storage object creator

logged out of phrase, recreated the MT profile, uploaded glossary again and getting same error.

Please help urgently to resolve.

Thanks!

Poppy

kolban

Giving the service account "Storage Object Creator" role is needed to allow the account to create objects in a bucket. see https://cloud.google.com/storage/docs/access-control/iam-roles

However, we need to drill down on "which" bucket is being accessed. For example, imagine we have a user called "poppy" and "poppy" is working in the project "poppy-proj". If we give "poppy" the above role, then "poppy" can create objects in buckets OWNED by the project called "poppy-proj". However, if the application is trying to create objects in a bucket that is NOT owned by "poppy-proj" then "poppy" would need the role added to the project which DOES own the bucket.

Note ... I don't recommend adding Storage Object Creator at the project level. Rather, find the bucket that you want to create objects in and give "poppy" that role AGAINST the bucket only. Giving yourself the role at the project level means you have that role for ALL buckets owned by the project. Giving yourself that role for JUST the single bucket still allows you to work with the bucket but in the event that there was an accident, your "blast radius" is dramatically decreased.

Pmiddleton

Hi, thank you for your reply.

We had already previously granted the service account associated with the MT profiles 'Storage object creator' permissions and seemingly none of the IAM roles we grant the service account, are affecting the success. I still receive this error in Phrase: does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).", "domain": "global", "reason": "forbidden" } ] } }'

I don't fully understand the suppòrt you gave regarding the bucket. How can I check whether I am accessing and giving the correct permissions related to the correct bucket please?

Thanks,

Poppy

noman92

Any solution @kolban ? I am facing the similar issue.

midegag

Okay, for me I did give the `Editor` Role then regenerated the access keys.

Service account not having storage account create access