Service account does not have storage.buckets.get access to bucket

Solution 1:

GCP has the concept of roles and permissions. A role is something like Storage Admin (roles/storage.admin) and a permission is something like storage.buckets.get. Roles are made up of one or more permissions. Permissions are always granted by applying a role to a principal (user, service account, or group) -- that is, you cannot assign a permission directly to a principal.

The error you're seeing is because the permission storage.buckets.get is missing from the service account -- that is, none of the role(s) applied to the service account grant the storage.buckets.get permission. You can list the objects of a bucket (storage.objects.list permission) without the ability to list buckets (storage.buckets.get permission).

Therefore you need to assign a role such as roles/storage.admin that has the storage.buckets.get permission. You can also create a Custom Role with just that permission if you want to operate with a least-privilege model.

Solution 2:

To add to the top answer, note that the role roles/storage.legacyBucketReader has the storage.buckets.get permission too. (See https://cloud.google.com/iam/docs/permissions-reference)

So to add that service account to that role:

gsutil iam ch serviceAccount:[email protected]:legacyBucketReader gs://ex-bucket