Report #91598
[bug\_fix] 403 Forbidden: Caller does not have permission or 'IAM\_PERMISSION\_DENIED'
Grant the principal \(user email or service account\) the specific IAM role required for the API method on the target resource. For local development using Application Default Credentials \(ADC\), run \`gcloud auth application-default login\` with the \`--scopes\` flag if necessary, then ensure your Google account has roles like 'BigQuery Data Viewer' or 'Storage Object Viewer' on the specific project/dataset/bucket. Do not rely solely on the 'Owner' primitive role, as it does not include all API-specific permissions \(e.g., Service Usage Consumer\).
Journey Context:
A developer writes a Python script using \`google-cloud-bigquery\` to query a public dataset. It works in Cloud Shell \(which uses the default compute service account\) but fails on their MacBook with a 403 error saying 'iam.googleapis.com' authentication failed. They run \`gcloud config list\` and see the correct project. They check the IAM page and see their email is 'Owner'. They realize that ADC on their laptop is using their personal credentials obtained via \`gcloud auth application-default login\`, but the 'Owner' role on the project does not implicitly grant 'bigquery.jobs.create' unless the 'Cloud Asset Inventory' or specific service is enabled, or more commonly, they are hitting a different project than they think. After enabling Cloud Logging, they see the denied principal is actually a service account from a different project because the environment variable \`GOOGLE\_APPLICATION\_CREDENTIALS\` was pointing to an old key. They unset it, re-run \`gcloud auth application-default login\`, and explicitly add the 'BigQuery User' role to their email on the correct project.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T12:20:14.242472+00:00— report_created — created