Cannot write to GCP bucket in deployed streamlit app

Marc_Leerink · October 19, 2023, 8:44am

I am unable to write to a GCP bucket in a streamlit community cloud deployed app. I followed this guide: Connect Streamlit to Google Cloud Storage - Streamlit Docs

I’ve updated my secrets accordingly and all works fine when running it locally with the same secrets.

However, when run in the streamlit community cloud deployed version I get:

google.api_core.exceptions.Forbidden: 403 POST https://storage.googleapis.com/upload/storage/v1/b/images_analyzer-prod/o?uploadType=multipart: {

"error": {


"code": 403,

"message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",

"errors": [

  {

    "message": "gke-pods@s4a-prod.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).",

This is how i am uploading to the GCP bucket:

def upload_blob_from_memory(
    bucket_name: str, contents: Union[str, bytes], destination_blob_name: str
) -> str:
    """Uploads a content string to a given
    Cloud Storage bucket and returns the public url to the new object."""

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)
    blob = bucket.blob(destination_blob_name)

    blob.upload_from_string(contents)

    return blob._get_download_url(client=storage_client)

My secret file looks like:

[connections.gcs] 
type = "service_account" 
project_id = "xxx" 
private_key_id = "xxx" 
private_key = "xxx" 
client_email = "xxx" 
client_id = "xxx" 
auth_uri = "https://accounts.google.com/o/oauth2/auth" 
token_uri = "https://oauth2.googleapis.com/token"
auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs" client_x509_cert_url = "xxx"`

The gke-pods@s4a-prod.iam.gserviceaccount.com is not the account I am using in my secrets, neither is it an account in my GCP project. Is this a internal streamlit account created for deployed apps?
Please let me know what I can do to circumvent this issue in the streamlit cloud deployment. The client_email has all the necessary access rights to the bucket and as I said earlier, locally everything runs fine with the exact same credentials.

Screenshot 2023-10-19 at 10.42.48

You can find the repo here: https://github.com/marcleerink/planar4_analyzer

Marc_Leerink · October 19, 2023, 2:47pm

I fixed this now by adding gke-pods@s4a-prod.iam.gserviceaccount.com as storage object creator. Please let me know if this is the expected solution

Topic		Replies	Views
Streamlit Deployed in GCP 🚀 Deployment gcp	1	535	November 19, 2023
Streamlit Authentication Error 403? Please help! ☁️ Community Cloud pandas , authentication , streamlit-cloud	7	614	April 5, 2024
Local works but Streamlit cloud throws 403 status code for URL request ☁️ Community Cloud cache , streamlit-cloud	2	624	November 15, 2023
Cannot upload my project ☁️ Community Cloud	4	209	April 6, 2024
Streamlit's Cloud Google OAuth stuck in a loop for some users ☁️ Community Cloud authentication , streamlit-cloud , debugging	1	62	April 2, 2024

Cannot write to GCP bucket in deployed streamlit app

Related Topics

Hello there 👋🏻

Cookie settings

Strictly necessary cookies

Performance cookies

Functional cookies

Targeting cookies