Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

Permission Issue with compute.globalOperations.get with Custom IAM Role

Hi everyone,

I'm facing an issue while trying to retrieve the status of a global operation using the Compute Engine API. When making the following API call:

 

GET https://www.googleapis.com/compute/v1/projects/gcp-driver-integrations/global/operations/operation-1742304458896-6309dde5cf3fb-68fe8327-1e1c7373

 

I receive the following error:

 

Error Code: 403  
Error: Required 'compute.globalOperations.get' permission for 'projects/gcp-driver-integrations/global/operations/operation-1742304458896-6309dde5cf3fb-68fe8327-1e1c7373'.

 

To resolve this, I initially assigned a custom IAM role to my service account, explicitly granting the compute.globalOperations.get permission. However, I keep getting the same error.

Interestingly, when I assigned the compute.viewer role, the issue disappeared—but I want to avoid granting unnecessary permissions that come with this predefined role.

My questions:

  1. Are there any additional permissions (beyond compute.globalOperations.get) required for this API call?

  2. Could there be hidden dependencies or constraints that prevent the custom role from working as expected?

  3. Are there API scope considerations that could affect this behavior?

  4. Has anyone encountered this issue before? Are there any additional IAM settings or API scopes that might be required for this request to succeed?

I’d appreciate any insights or suggestions!

Thanks in advance.

0 1 316
1 REPLY 1

Hi Mihaylo,

Welcome to Google Cloud Community!

Have you checked the API scope authorization? If you’re using Oauth for Service Account, Based on this documentation, one of the following Oauth Scopes Requires: 

Additionally, there could be a possibility of IAM Policy Binding Issues. Ensure that your service account has an expected role. Run the following code:

 

gcloud projects get-iam-policy [PROJECT_ID/NUMBER] --flatten="bindings[].members" --format='table(bindings.role, bindings.members)'

 

Lastly, if needed, force the IAM policy refresh by re-adding and removing the IAM policy binding. Changes can take a few minutes to apply.


If the issue still persists and needs further assistance, please feel free to reach out to the google support team.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.