Your code is running on Cloud Functions in project A. It is supposed to write an object in a Cloud Storage bucket owned by project B. However, the write call is failing with the error "403 Forbidden". What should you do to correct the problem?
A.
Grant your user account the roles/storage.objectCreator role for the Cloud Storage bucket.
B.
Grant your user account the roles/iam.serviceAccountUser role for the [email protected] service account.
C.
Grant the [email protected] service account the roles/storage.objectCreator role for the Cloud Storage bucket.
The answer is C : the default service account use by cloud function is [email protected] (cf. https://cloud.google.com/functions/docs/concepts/iam#troubleshooting_permission_errors)
C. Grant the [email protected] service account the roles/storage.objectCreator role for the Cloud Storage bucket.
The error "403 Forbidden" typically indicates a permissions issue. When a Google Cloud Function tries to access a resource in another project (in this case, a Cloud Storage bucket in project B), it does so using its associated service account. By default, this service account is [email protected] where PROJECT_ID is the ID of the project where the Cloud Function is running (project A).
C. Grant the [email protected] service account the roles/storage.objectCreator role for the Cloud Storage bucket.
In order for the Cloud Functions code running in project A to write to a Cloud Storage bucket in project B, the service account that is used to execute the code needs to be granted the appropriate permissions. In this case, you should grant the [email protected] service account the roles/storage.objectCreator role for the Cloud Storage bucket in project B. This will allow the code to write objects to the bucket. Option A would not work because it is the service account, not your user account, that needs to be granted permissions.
Option B would not work because the roles/iam.serviceAccountUser role does not grant any permissions to access Cloud Storage. Option D would not solve the problem, as the Cloud Storage API is already enabled in both projects by default.
https://cloud.google.com/functions/docs/troubleshooting:
"The Cloud Functions service uses the Cloud Functions Service Agent service account (service-<PROJECT_NUMBER>@gcf-admin-robot.iam.gserviceaccount.com) when performing administrative actions on your project. By default this account is assigned the Cloud Functions cloudfunctions.serviceAgent role. This role is required for Cloud Pub/Sub, IAM, Cloud Storage and Firebase integrations. If you have changed the role for this service account, deployment fails."
Answer is C
Seems there is no correct answer here... The correct answer should be grant add service account used by cloud function as a member to target bucket with roles/storage.objectCreator role
The correct answer is the C but like you say, is not the best. To leave the default account is a bad procedure. The best answer must be "Create a new service account and assing it to the cloud build, and grant the object creator permission to that account".
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 4 years, 4 months agosaurabh1805
3 years, 11 months agosantoshchauhan
Most Recent 7 months, 3 weeks ago__rajan__
1 year, 1 month agoomermahgoub
1 year, 9 months agoomermahgoub
1 year, 9 months agotomato123
2 years, 2 months agoParagSanyashiv
2 years, 9 months agotrungtran
3 years agoKevT94
3 years agosyu31svc
3 years, 3 months agokernel1973
3 years, 4 months agokubosuke
3 years, 6 months agoemmet
4 years, 4 months agosamuelmorher
1 year, 3 months ago