googlec-storage-object-creator@project-name.iam.gserviceaccount.com does not have storage.objects.delete access to bucket-x/xxx.jpg

Question

Trying to upload an image from server to server I got:

[ { domain: 'global', reason: 'forbidden', message: 'googlec-storage-object-creator@project-name.iam.gserviceaccount.com does not have storage.objects.delete access to bucket-mybucket/mypicture.jpg.' } ], code: 403,

If the image name is different, it just works. Versioning is suspended, and there was a file with that name, but it was removed.

I even removed the bucket and created it again, and the problem persists.

No error at all if the filename is different from "mypicture.jpg"

Any help about that ? Thanks

Answer 1

If I understood your question correctly, you are trying to upload a file mypicture.jpg to one of your buckets bucket-mybucket, using a service account with which you have storage.objectCreator role permissions.

The error message that is shown makes me understand that there was already a file mypicture.jpg, and you are trying to override it, which requires the storage.objects.delete permission, which is not granted in the role I presume you are using.

There are several points that can be covered:

1. Have you tried granting the required delete permission to the Service Account you are using?
2. You say you deleted the file that was already existing with that name. You did it with a different Service Account with the appropriate permissions, is that right? Have you tried uploading the file with that Service Account? Did you delete it before or after disabling versioning?
3. When you say you removed the bucket and created it again, you mean that you were trying to upload the file to a newly created (completely empty and with no other prior version of mypicture.jpg) and it failed too?
4. Using a Service Account that has the appropriate permissions, run the command gsutil ls -L gs://BUCKET_NAME/FILE_NAME to see its metadata and check whether there is any remaining thing from that file that may be conflicting and requires the delete permission.
5. Disabling object versioning only stops future archiving. If you disabled object versioning after deleting it, there will still be some archived versions remaining in GCS, so you should delete them manually. You can list the archived versions with the command gsutil ls -a gs://BUCKET_NAME.
6. If none of that works, how are you trying to do the upload? gsutil CLI tool, Client Library...?

Answer 2

I did the same thing as OP did,and had spending a bunch of hours for this, I found out the post from google cloud node on github.

By stephenplusplus

I have a feeling this is due to an issue in gcs-resumable-upload, the module behind this method. There is a PR with a fix: stephenplusplus/gcs-resumable-upload#23

In the meantime, you could try:

Disabling resumable uploads: gcs_file.createWriteStream({ resumable: false }) Deleting the cache file that gcs-resumable-upload uses to track the state of uploads: ~/.config/configstore/gcs-resumable-upload.json If neither of these work, we likely have a different problem on our hands. Let me know, and sorry you ran into this!

Just disabling resumable update on WriteableStream, and enjoy the new world.