How to list buckets from Google Storage in Python?


How to list buckets from Google Storage in Python?



I have the following code in Python script:


from google.oauth2 import service_account
SCOPES = ['https://www.googleapis.com/auth/sqlservice.admin']
SERVICE_ACCOUNT_FILE = 'JSON_AUTH_FILE'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
import os
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = SERVICE_ACCOUNT_FILE



This does the auth with google.



Now I want to list all buckets :


from google.cloud import storage
storage_client = storage.Client()
buckets = list(storage_client.list_buckets())
print(buckets)



But this doesn't work. I get:


google.api_core.exceptions.Forbidden: 403

xxx@yyy.iam.gserviceaccount.com does not have storage.buckets.list access to project



It also has a link when I click it i see (which is weird because it says 403 but here it shows 401:


{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Anonymous caller does not have storage.buckets.list access to project NUMBER.",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Anonymous caller does not have storage.buckets.list access to project NUMBER."
}
}



What am I doing wrong?





Why do you have a sqlservice.admin scope if you're trying to access Cloud Storage?
– Alberto Garcia-Raboso
Jul 2 at 13:54


sqlservice.admin





@AlbertoGarcia-Raboso I don't know. This is the first time I'm working with Google. This is what their guide showed in the example.
– jack
Jul 2 at 14:00





1 Answer
1



A couple of things to suggest in reference to this link:
https://cloud.google.com/storage/docs/reference/libraries#client-libraries-install-python



There are a couple of ways you can set roles for service accounts to access Google Storage:
https://cloud.google.com/iam/docs/understanding-roles#cloud_storage_roles



When you create your service account, select the Project Role: Storage -> Storage Admin. Setting this role will allow your service account to access and manipulate objects from Cloud Storage. Using the Storage Admin role ensures that you give the least amount of privilege to the service account so that it can't access other services.



If you're having problems with authentication perhaps look at setting the role to Project -> Editor which should give the service account edit access to most of the GCP services. Just be aware that if the service account is compromised the user will have access to most of your services in the GCP project.



By setting a custom role you can inherit the permissions given to a number of the default roles. A good way to do this is by using the "Create Role From Selection" in the IAM & Admin -> Roles section of the GCP Console.



For example you could combine the BigQuery Admin and Storage Object Admin into a single custom role by selecting the check-boxes for each role and creating your own custom role which you can then allocate to your service account in the IAM section of GCP.



Once you have a service account with the correct permissions you should be able set the GOOGLE_APPLICATION_CREDENTIALS environment variable and use the google library to access your storage buckets.


GOOGLE_APPLICATION_CREDENTIALS


google



Try this modification to your code once you have a service account with the correct role to test to see if it can list all the buckets the account has access to


import os
from google.cloud import storage

os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = "/home/user/Downloads/[FILE_NAME].json"

# Instantiates a client
storage_client = storage.Client()

# List all the buckets available
for bucket in storage_client.list_buckets():
print(bucket)





How do I change it for existing service account? I can't find this menu. There is only : edit / delete / create key and edit offer only changing the name
– jack
Jul 2 at 14:36






Say instead of listing buckets I want to upload file. Would I still need to change the Role? Because I actually need to upload files... the listing objects is just a test.
– jack
Jul 2 at 14:39





I usually just create a new service account when I need to add new roles. You'll be able to upload files using the Storage Object Admin because it has read and write permissions to the bucket
– ScottMcC
Jul 2 at 14:49





You can just create another account (you can create as many as you would like). If you're not using one that you've created you can just delete it.
– ScottMcC
Jul 2 at 15:02





The current role is Big Query editor.. If I change it to Storage Object Admin does it means I won't have permissions over big query?!
– jack
Jul 2 at 15:09






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

PHP contact form sending but not receiving emails

PHP contact form sending but not receiving emails I have created a contact form using PHP to send the data. The form seems to send fine as there are no errors and success message appears, however I am not receving the emails into the designated inbox. I am using PHPMailer as I originally tried just using the php 'mail' command which I now understand is a bit hit and miss. I cannot see why I would not be receving the emails so I would be very grateful for any help that could be given. I'm quite new to PHP so please be patient with me :) <?php use PHPMailerPHPMailerPHPMailer; use PHPMailerPHPMailerException; $msg = ""; if (isset($_POST['submit'])) { require 'phpmailer/src/Exception.php'; require 'phpmailer/src/PHPMailer.php'; require 'phpmailer/src/SMTP.php'; function sendemail ($to, $from, $body) { $mail = new PHPMailer(true); $mail->setFrom($from); $mail->addAddress($to); $ma...
Read more

Do graphics cards have individual ID by which single devices can be distinguished?

Do graphics cards have individual ID by which single devices can be distinguished? I have several graphics cards of the same manufacturer and same model and I want to distinguish them not only by the pcie socket they reside in but by some individual value I can read from the hardware. Is there such value and if so what would it be called and how could I access it? Right now I'm using modern nvidia cards (10xx series) and nvidia inspector.but I'd prefer if there was any value that was also applicable to amd. I have programming and scripting knowledge. I am running Windows 10 1 Answer 1 This is a powershell example to pull information from video cards. The DeviceID is supposed to be unique but only if the manufacturer supports Windows Display Driver Model (WDDM). (I copied this directly from docs.microsoft.com) $strComputer = "." $colItems = get-wmiobject -class "Win32_VideoC...
Read more

iOS Top Alignment constraint based on screen (superview) height

Image
iOS Top Alignment constraint based on screen (superview) height Let's say for example i want my view's top margin be 30 px for iPhone 6s and for the other screen i want to change this constants from 30 to X where X is proportional to total height of screen i.e. 36.5 for iPhone X, 33 for iPhone 6s plus, 25 for iPhone SE And so on .... I know i can take @IBOutlet of NSLayoutConstraint and change it programmatically but what i want is i want to set it like aspect ratio that we have for height width like subview's heigh width is proportional it's superview it changes with super view's height and width @IBOutlet NSLayoutConstraint 2 Answers 2 The constraint you need here is the superView's centerY set multiplier to 0.5 if you want the top anchor's constant to be 0.25 of screen height from the top , so adjust the multiplier according to this logic which is height_of_scre...
Read more