Answer-first summary for fast verification
Answer: Grant the service-PROJECTA@gcf-admin-robot.iam.gserviceaccount.com service account the roles/storage.objectCreator role for the Cloud Storage bucket.
The error 403 Forbidden indicates a permissions issue where the service account used by the Cloud Function in project A does not have the necessary permissions to write to the Cloud Storage bucket in project B. The correct solution is to grant the service account of project A, specifically `service-PROJECTA@gcf-admin-robot.iam.gserviceaccount.com`, the `roles/storage.objectCreator` role for the bucket in project B. This directly addresses the permissions issue by enabling the service account to create objects in the specified bucket. Options A and B are incorrect because they involve granting permissions to a user account rather than the service account that the Cloud Function uses. Option D is unrelated to the permissions issue and would not resolve the 403 Forbidden error.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
To resolve a "403 Forbidden" error when writing from a Cloud Function in project A to a Cloud Storage bucket in project B, what steps should you take?
(Assume the code is correct but lacks proper permissions.)
A
Grant your user account the roles/storage.objectCreator role for the Cloud Storage bucket.
B
Grant your user account the roles/iam.serviceAccountUser role for the service-PROJECTA@gcf-admin-robot.iam.gserviceaccount.com service account.
C
Grant the service-PROJECTA@gcf-admin-robot.iam.gserviceaccount.com service account the roles/storage.objectCreator role for the Cloud Storage bucket.
D
Enable the Cloud Storage API in project B.
No comments yet.