When working with Google Cloud Storage Python API, you might encounter the frustrating error:
[service-account-ID]-compute@developer.gserviceaccount.com does not have storage.buckets.get access to [bucket-name]
This occurs even when the same service account can successfully list objects using gsutil. The discrepancy happens because different Google Cloud tools require different IAM permissions.
While gsutil might work with just storage.objects.list permission, the Python Client Library requires additional bucket-level permissions:
storage.buckets.get- Required for bucket metadata operationsstorage.objects.list- Required for listing objects
To resolve this, you need to grant your service account the Storage Object Viewer role at minimum:
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="roles/storage.objectViewer"
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="roles/storage.legacyBucketReader"
If you can't modify permissions, you can use this workaround that lists objects without requiring bucket metadata access:
from google.cloud import storage
storage_client = storage.Client(project='[project-id]')
# Use list_blobs directly without get_bucket
blobs = storage_client.list_blobs('[bucket-name]')
for blob in blobs:
print(blob.name)
You can check your service account's permissions with this code snippet:
from google.cloud import storage
from google.api_core import exceptions
def check_bucket_access(bucket_name):
storage_client = storage.Client()
try:
bucket = storage_client.get_bucket(bucket_name)
print(f"Successfully accessed {bucket_name}")
return True
except exceptions.Forbidden as e:
print(f"Access denied to {bucket_name}: {e}")
return False
except exceptions.NotFound:
print(f"Bucket {bucket_name} not found")
return False
- Always grant the minimum required permissions
- Use custom IAM roles when possible for fine-grained control
- Test permissions in development before production
- Consider using signed URLs for temporary access
When working with Google Cloud Storage (GCS) Python client library, you might encounter this frustrating error:
from google.cloud import storage
storage_client = storage.Client(project='my-project')
bucket = storage_client.get_bucket('my-bucket') # This line fails
The error message typically looks like:
[service-account-ID]-compute@developer.gserviceaccount.com does not have storage.buckets.get access to my-bucket
Interestingly, when you use gsutil with the same service account:
gsutil ls gs://my-bucket
It works perfectly fine. This discrepancy occurs because:
- gsutil uses a different permission model (storage.objects.list)
- The Python client's get_bucket() method requires storage.buckets.get permission
- list_blobs() only requires storage.objects.list permission
The most straightforward solution is to grant the storage.buckets.get permission:
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:service-account-ID@developer.gserviceaccount.com" \
--role="roles/storage.objectViewer"
For broader access, you might want to use:
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:service-account-ID@developer.gserviceaccount.com" \
--role="roles/storage.admin"
If you can't modify permissions, use this workaround:
from google.cloud import storage
storage_client = storage.Client(project='my-project')
# Skip get_bucket() and go straight to listing blobs
blobs = storage_client.list_blobs('my-bucket')
for blob in blobs:
print(blob.name)
Another approach is to set bucket ACLs:
gsutil acl ch -u service-account-ID@developer.gserviceaccount.com:R gs://my-bucket
After applying any solution, verify with:
gcloud auth list # Check active account
gcloud projects get-iam-policy my-project # Check permissions
- Always follow principle of least privilege
- Use service account keys rather than user credentials
- Consider using signed URLs for temporary access
- Regularly audit permissions with gcloud commands