"serviceusage.services.use" Permission denied.

Question

"serviceusage.services.use" Permission denied.

lope7 opened this issue 8 months ago · 9 comments

Environment details

PHP version: ^8.2
Package name and version: google/cloud-storage -> Version: "v1.39.1".

Steps to reproduce

When I try to use the exists() method of the google cloud-storage library in the StorageObject class, I receive a permissions error:
Permission 'serviceusage.services.use' denied on resource (or it may not exist).
It's strange because when I use the method to list the bucket objects it does it correctly and doesn't ask for that permission.

Answer 1 · 2024-04-30T11:27:27.000Z

Hi @lope7 ,

This means you're missing the serviceusage.service.use IAM permission on your credential. Can you please post a reproduction script where I can try to confirm this issue?

Answer 2 · 2024-04-30T11:46:59.000Z

Hi @yash30201,
Thank you very much for your response.
We know that it asks for that permission and we don't have it, but we want to know the reason why that permission is requested to do an "exists()" when it should not be necessary since we have been able to do other writing methods and it does not ask for this permission.
I understand that the solution is to activate that permission, but this doesn't make sense, right?

Answer 3 · 2024-04-30T11:52:56.000Z

Yes this seems strange. That's why I wanted you to post a script where you're experiencing to troubleshoot this further.

Answer 4 · 2024-04-30T13:30:11.000Z

`<?php

use Google\Cloud\Storage\StorageClient;

$storageClient = new StorageClient([
"projectId" => 'xxx',
"apiEndpoint" => 'xxx'
]);
$nameImage = 'image.jpg';
$bucket = $storageClient->bucket($this->bucketName, true);
$object = $bucket->object($nameImage);
try {
$object->exists();
} catch (Throwable $e) {
die("Our problem is here " . $e->getMessage());
}`

Answer 5 · 2024-05-02T11:05:52.000Z

Can you tell me how do you authenticate in the library? (Service Account, gcloud auth login, Impersonated Service Account, External Account Credentials . . . )

Answer 6 · 2024-05-02T11:20:09.000Z

Hi @yash30201 , I'm Lope's teammate. He is on vacaction. We use Service Account to authenticate.

Answer 7 · 2024-05-02T14:03:21.000Z

Hey @glesende , I ran the following script which you provided with a Service Account which only has the Storage Admin permission. I didn't face any issue.

<?php

use Google\Cloud\Storage\StorageClient;

require_once __DIR__ . '/../vendor/autoload.php';

$storage = new StorageClient([
    'projectId' => getenv('GOOGLE_PROJECT_ID'),
    'keyFilePath' => getenv('GOOGLE_CLOUD_STORAGE_SA')
]);

$bucket = $storage->bucket('testing-bucket');
$object = $bucket->object('test.image');
try {
    $object->exists();
} catch (Throwable $e) {
    die("Our problem is here " . $e->getMessage());
}

So this rules out the fact that $object->exists() requires an extra IAM permission.

I think the issue is that your service account which the library is picking doesn't has the proper permissions to access the project which you're trying to bill the api calls.

Answer 8 · 2024-05-02T14:32:00.000Z

Than you, we will check this with our SRE team.

Answer 9 · 2024-05-03T08:27:43.000Z

Hey @glesende , thanks for opening this issue.

I'm closing this for now. Please reopen if it still persists and you're sure it's coming from this library.