We are exporting a Cloud SQL for Postgress database to a Cloud Storage bucket using a Cloud Function.

The function is straightforward; it utilizes the export API to perform the DB export.

The Cloud SQL service account (automatically created with the DB instance and not visible as a principal in IAM) has the necessary IAM binding, specifically the Storage Object Creator role, to create objects in the designated bucket, the service account is listed in the bucket permissions tab.

This solution worked fine until last month, when the Cloud Function suddenly started returning the following error:

Error: The service account does not have the required permissions for the bucket.
    at Gaxios._request (/workspace/node_modules/gaxios/build/src/gaxios.js:142:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async JWT.requestAsync (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:429:18)
    at async run (/workspace/index.js:19:5)
    at async exports.exportDb (/workspace/index.js:35:5) 

This error can occur when the bucket doesn’t exist, but in our case, the bucket is present.

We tried removing and re-adding the permission, which worked for a couple of days, but the issue reappeared with the same behavior. Now, even after removing and reassigning the permissions, the error persists.

What’s baffling is that no one is modifying the service account; the audit logs only show our fixes and nothing else.

I’d also like to note that this solution had been working flawlessly for over a year until last month.

Update:

We tried granting the Storage Admin role on the bucket to the service account, and it worked.

However, I strongly feel that something isn’t working as expected. The Storage Object Creator role should be sufficient to perform the export operation.