Google Cloud Storage – Error 403: Access Denied

google-cloud-platformgoogle-cloud-storage

I stay trying my project based on this: https://github.com/GoogleCloudPlatform/iot-smart-home-cloud

My issue is:

cloudfunctions.googleapis.com
google.cloud.functions.v1.CloudFunctionsService.UpdateFunction
projects/casaminha-2e0ca/locations/us-central1/functions/syncOnRemove
neuberfran@gmail.com
Build failed: could not resolve source: googleapi: Error 403: 567xxxx1772xxxxxxxxxxxx@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden
com.google.net.rpc3.client.RpcClientException: APPLICATION_ERROR;google.devtools.cloudbuild.v1/ArgoAdminV1.CreateBuild;could not resolve source: googleapi: Error 403: 5676xxxxxx062@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden;AppErrorCode=3;StartTimeMs=999999999999540;unknown;ResFormat=AUTOMATIC;ServerTimeSec=0.999999999999999;LogBytes=256;Non-

I deleted in 27/jul/2021 cloud build or cloud run (I don't use cloud run in my project) I deleted in GCP console. I thought that was what was giving credential error in my action project on google. Then I started to receive the current error.

I remember that the service account I deleted was associated with google controller only (there was a question mark there)

I think the gcf command will rebuild this. But not sure if this is correct. And I also don't know how to use gcf-sources-<PROJECT_NUMBER>-

I stay trying actions on google, using firestore and GCP.

commands:

firebase –project casaminha-2e0ca functions:config:set cloudiot.region=us-central1

firebase –project casaminha-2e0ca functions:config:set smarthome.id=567617xxxxxxxxxxxxxx9r9upjxxxxxxx0t.apps.googleusercontent.com smarthome.secret=D99999999999

firebase –project casaminha-2e0ca functions:config:set smarthome.key="99999999"

firebase deploy –project casaminha-2e0ca

THis is my project in github:https://github.com/neuberfran/firebasefunction

This is my issueTracker: https://issuetracker.google.com/issues/194942955?pli=1

Can you help

Best Answer

When you are using the Cloud Function the Cloud Build API must be enabled in order to deploy your Cloud Function, it's well documented in the tutorial(Before you begin). The Cloud Build Service Account will automatically generate when you enable the Cloud Build service in your Google Cloud project and it looks like:

[PROJECT-ID]@cloudbuild.gserviceaccount.com

Regarding this:

I deleted in 27/jul/2021 cloud build or cloud run (I don't use cloud run in my project) I deleted in GCP console

Please note, deleting Service Account:

When you delete a service account, applications will no longer have access to Google Cloud resources through that service account.

And based on your issue tracker, it seems the solution is to recover your deleted Service Account. The deleted Service account can recover within 30 days. To undelete or recover, you must find the the numeric ID or ACCOUNT_ID for the deleted service account that you can get in Cloud Logging/Log Explorer, here is the tutorial.

Once you have obtained the numeric ID or the ACCOUNT_ID, run the following in your CLI or Cloud Shell or Cloud SDK:

gcloud beta iam service-accounts undelete ACCOUNT_ID

output:

restoredAccount:
  email: SA_NAME@PROJECT_ID.iam.gserviceaccount.com
  etag: BwWWE7zpApg=
  name: projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com
  oauth2ClientId: '123456789012345678901'
  projectId: PROJECT_ID
  uniqueId: 'ACCOUNT_ID'

UPDATE:

The root cause of the error was missing the `Cloud Build Service Account` permission and it was solved by adding this permission.
Related Topic