Report #103468
[bug\_fix] Google Cloud API returns a permission denied error immediately after a new IAM role was granted to a principal.
Wait briefly for IAM access change propagation \(typically up to two minutes, potentially longer for group memberships\), then retry. Verify the binding with \`gcloud projects get-iam-policy --flatten='bindings\[\].members' --filter='bindings.role='\`. If the principal is still missing, re-check the project/organization level at which the role was granted.
Journey Context:
A teammate grants \`roles/storage.objectAdmin\` to the service account your app uses. You rerun the upload and immediately get \`403 Forbidden: does not have storage.objects.create access to the bucket\`. You double-check the email, the bucket name, and the role spelling; everything looks right. You grant the role again and still get 403. Then you remember IAM on Google Cloud is eventually consistent: after a policy edit, it can take up to two minutes \(and sometimes longer for group memberships\) before all APIs honor the new binding. You run \`gcloud projects get-iam-policy my-project --flatten='bindings\[\].members' --filter='bindings.role=roles/storage.objectAdmin'\` and confirm the service account is listed. After waiting about 90 seconds the upload succeeds. The root cause was not a missing permission but propagation delay; retrying instantly after a grant is a common trap.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:27:16.736772+00:00— report_created — created