Cannot write to GCP bucket in deployed streamlit app

I am unable to write to a GCP bucket in a streamlit community cloud deployed app. I followed this guide: Connect Streamlit to Google Cloud Storage - Streamlit Docs

Iโ€™ve updated my secrets accordingly and all works fine when running it locally with the same secrets.

However, when run in the streamlit community cloud deployed version I get:

google.api_core.exceptions.Forbidden: 403 POST https://storage.googleapis.com/upload/storage/v1/b/images_analyzer-prod/o?uploadType=multipart: {

"error": {


"code": 403,

"message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",

"errors": [

  {

    "message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",

This is how i am uploading to the GCP bucket:

def upload_blob_from_memory(
    bucket_name: str, contents: Union[str, bytes], destination_blob_name: str
) -> str:
    """Uploads a content string to a given
    Cloud Storage bucket and returns the public url to the new object."""

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)
    blob = bucket.blob(destination_blob_name)

    blob.upload_from_string(contents)

    return blob._get_download_url(client=storage_client)

My secret file looks like:

[connections.gcs] 
type = "service_account" 
project_id = "xxx" 
private_key_id = "xxx" 
private_key = "xxx" 
client_email = "xxx" 
client_id = "xxx" 
auth_uri = "https://accounts.google.com/o/oauth2/auth" 
token_uri = "https://oauth2.googleapis.com/token"
auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs" client_x509_cert_url = "xxx"`

The gke-pods@s4a-prod.iam.gserviceaccount.com is not the account I am using in my secrets, neither is it an account in my GCP project. Is this a internal streamlit account created for deployed apps?
Please let me know what I can do to circumvent this issue in the streamlit cloud deployment. The client_email has all the necessary access rights to the bucket and as I said earlier, locally everything runs fine with the exact same credentials.

Screenshot 2023-10-19 at 10.42.48

You can find the repo here: https://github.com/marcleerink/planar4_analyzer

I fixed this now by adding gke-pods@s4a-prod.iam.gserviceaccount.com as storage object creator. Please let me know if this is the expected solution

I had exactly the same problem, but then I realized I forgot to put the CGP credentials in the secrets in Streamlit Cloud. Adding them fixed the issue. See the doc for more details: Secrets management - Streamlit Docs