Report #51930
[bug\_fix] 403 Forbidden: The caller does not have permission \(PERMISSION\_DENIED\) via ADC
Application Default Credentials \(ADC\) searches for credentials in a defined order. On a GCE VM, Cloud Run, or GKE, it hits the metadata server \(169.254.169.254\) and retrieves the attached service account token, not the developer's personal credentials. If the VM's default service account lacks permissions, the request fails. To fix, explicitly set the \`GOOGLE\_APPLICATION\_CREDENTIALS\` environment variable to a service account key JSON file with the correct permissions, or attach a custom service account with the required IAM roles to the VM/Workload.
Journey Context:
Developer writes a Python script using \`google.cloud.storage.Client\(\)\` locally; it works because \`gcloud auth application-default login\` populated \`~/.config/gcloud/application\_default\_credentials.json\`. They deploy the same script to a GCE VM and it fails with \`PERMISSION\_DENIED\` when listing buckets. They SSH into the VM and run \`gcloud auth list\`; their user account appears active. They run the script with debug logging and see the token email is \`[email protected]\`. They realize the library uses ADC, which on GCE falls back to the metadata server \(http://169.254.169.254\), returning the VM's attached service account, not the gcloud CLI credentials. They check the VM's IAM permissions and see the default compute service account has no GCS access. They stop the VM, edit it to use a custom service account with 'Storage Object Viewer' role, start it, and the script works. They later learn to never rely on the default compute SA in production.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T17:39:27.788237+00:00— report_created — created