Report #100150
[bug\_fix] google.api\_core.exceptions.PermissionDenied: 403 ... does not have storage.buckets.list access to the project, or the project does not exist.
Identify the authenticated principal \(service-account email or user\) and grant it the least-privilege IAM role required for the API/resource, for example \`gcloud projects add-iam-policy-binding PROJECT --member=serviceAccount:SA --role=roles/storage.objectViewer\`.
Journey Context:
A Cloud Run service uses the default compute service account. The code calls Secret Manager to fetch a secret and is hit with a 403 PermissionDenied. The developer first assumes ADC is broken, but the error message names the exact service-account email and the missing permission. They look at the Cloud Run service's identity, then open IAM and see that role \`roles/secretmanager.secretAccessor\` is not bound to that service account. They add the role, wait a minute for propagation, and the next request succeeds. The root cause is that GCP authentication and authorization are separate: ADC supplies a valid identity, but IAM controls what that identity is allowed to do. Without the role binding the API correctly rejects the call.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:44:50.808805+00:00— report_created — created