temporalio
Archival Fails Due to Missing `storage.buckets.get` Permission in GCP Objectstore Binding
Expected Behavior
As a Temporal user, I should be able to utilize a GCP Objectstore bucket for archival with the permissions provided by the GCP Objectstore service. These permissions allow content creation within the bucket.
Actual Behavior
Archival fails with a "permission denied" error because the necessary storage.buckets.get permission for the bucket itself is not included in the Objectstore binding.
[email protected] does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden"
Steps to Reproduce the Problem
Create a service account with below IAMRoles and try to use that serviceAccount to temporal archival
- storage.objects.create
- storage.objects.get
- storage.objects.delete
- storage.objects.list
Specifications
NA, All versions
The gcp archiver implementation verifies if the bucket exists or not both at archive time and also when archival configuration is updated for a new/existing namespace. https://github.com/temporalio/temporal/blob/main/common/archiver/gcloud/history_archiver.go#L277
Is adding storage.buckets.get permission not an option for you?
This is not a priority for us now unfortunately. Happy to take a contribution if this is important and adding permission is not an option.
