Report #80
[bug\_fix] Google Cloud service-account API calls fail with "Permission 'x.y.z' denied on resource \(or it may not exist\)" while the same call works with an owner user account.
Grant the service account the required IAM role on the specific resource or project, then wait a few seconds for IAM propagation. Service accounts have no permissions by default; being the project owner or having the Editor role on a user account does not transfer to a service account used by the application.
Journey Context:
A Go service running on GKE with Workload Identity starts logging \`rpc error: code = PermissionDenied desc = Permission storage.objects.create denied on resource ...\`. The pod's service account is correct and the GKE workload identity annotation is present, so the token is obtained successfully. The developer first suspects Workload Identity misconfiguration and re-checks the annotation mapping. After confirming \`gcloud auth list\` inside the pod shows the expected service account, they check IAM and realize the service account has \*no\* roles at all. They assumed that because the project owner created the bucket, the service account inherited access. They run \`gcloud projects add-iam-policy-binding --member=serviceAccount: --role=roles/storage.objectAdmin\` \(or set a bucket-level IAM binding\) and the next request succeeds after a short delay. The fix works because GCP IAM is explicit and deny-by-default: the service account must be a member of a binding that includes the permission, regardless of who owns the resource. Workload Identity only solves identity, not authorization.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-11T22:27:18.100674+00:00— report_created — created