Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Permission error messages

This document describes the error messages that you might encounter if you don't have the required access permissions for a resource.

Issues that cause permission error messages

The Cloud de Confiance console, Google Cloud CLI, and REST API all display error messages when you try to access a resource that you don't have permission to access.

These error messages can be caused by any of the following:

You don't have the required permissions. You must have an allow policy role binding with the required permissions. If you don't have the required permissions, then Cloud de Confiance displays an error message.

There's a deny policy blocking access. If a deny policy prevents you from using any of the required permissions, then Cloud de Confiance displays an error message.

The resource doesn't exist. If the resource doesn't exist, then Cloud de Confiance displays an error message.

The following sections show what these error messages look like for the Cloud de Confiance console, gcloud CLI, and REST API.

Cloud de Confiance console error messages

In the Cloud de Confiance console, error messages look similar to the following:

These error messages contain the following information:

The resource that you tried to access: The resource name appears in the title of the error page and indicates the resource that you were trying to access when you encountered the permission error.
The missing required permissions: A list of the permissions that you need to have to access the resource.

A list of IAM roles that contain the required permissions: This list is non-exhaustive—it contains a curated list of roles that Cloud de Confiance suggests to resolve the access issue. Ordering is based on the type of actions permitted by the role, service relevance, and the number of permissions.

If you have the permissions required to grant roles, then this section is titled Select a role to grant. If you don't have the required permissions, then this section is titled Request a specific role.

You can click a role to learn more about the role and request that the role be granted to you. If you have the permissions required to grant roles, then you can grant yourself the role instead of requesting it.

Google Cloud CLI and REST API error messages

The exact wording of the error message depends on the command that you run. However, it typically contains the following information:

The required permission
The resource you tried to perform an action on
The authenticating account

For example, if you don't have permission to list buckets in a project, you see an error message like the following:

gcloud

ERROR: (gcloud.storage.buckets.list) HTTPError 403:
EMAIL_ADDRESS does not have
storage.buckets.list access to the Google Cloud project. Permission
'storage.buckets.list' denied on resource (or it may not exist). This command
is authenticated as EMAIL_ADDRESS which
is the active account specified by the [core/account] property.

REST

{
  "error": {
    "code": 403,
    "message": "EMAIL_ADDRESS does not have storage.buckets.list access to the Google Cloud project. Permission 'storage.buckets.list' denied on resource (or it may not exist).",
    "errors": [
      {
        "message": "EMAIL_ADDRESS does not have storage.buckets.list access to the Google Cloud project. Permission 'storage.buckets.list' denied on resource (or it may not exist).",
        "domain": "global",
        "reason": "forbidden"
      }
    ]
  }
}

What's next

If you don't have administrative permissions and you encounter a permission error message, see Request missing permissions.
If you have administrative permissions and need to resolve a user access request, see Resolve permission errors.