google/location.go uses this code to open GCS buckets:
_, err := l.client.Buckets.Get(id).Do()
if err != nil {
return nil, stow.ErrNotFound
}However, most of the standard IAM roles (https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles) do not include the storage.buckets.get permission. It is not necessary to have permissions on the bucket itself in order to work with objects. This also makes an unnecessary API call.
For comparison, here's a fix to the same problem in a Python library with a similar goal as stow: piskvorky/smart_open#516
This problem is additionally hard to troubleshoot because stow.ErrNotFound is returned for what is actually a permissions error. Callers have no way to distinguish the cases. It would be better to create a stow.PermissionDenied and/or to wrap the underlying error with errors.Wrap.
google/location.gouses this code to open GCS buckets:However, most of the standard IAM roles (https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles) do not include the
storage.buckets.getpermission. It is not necessary to have permissions on the bucket itself in order to work with objects. This also makes an unnecessary API call.For comparison, here's a fix to the same problem in a Python library with a similar goal as
stow: piskvorky/smart_open#516This problem is additionally hard to troubleshoot because
stow.ErrNotFoundis returned for what is actually a permissions error. Callers have no way to distinguish the cases. It would be better to create astow.PermissionDeniedand/or to wrap the underlying error witherrors.Wrap.