storage.objects.get permission denied when accessing Google Play Console stats bucket (pubsite_prod_rev_*)

[cmw9706]

Issue Summary

I'm receiving a 403 permission denied error when trying to programmatically access Google Play Console statistics CSV reports from the Cloud Storage bucket, despite having configured the service account permissions according to the documentation.

Error Message

{
  "error": {
    "code": 403,
    "message": "googleplaystats@delinea-3ea8b.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).",
    "errors": [
      {
        "message": "googleplaystats@delinea-3ea8b.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).",
        "domain": "global",
        "reason": "forbidden"
      }
    ]
  }
}

Environment

• Node.js version: 20.x
• @google-cloud/storage: ^7.18.0
• googleapis: ^131.0.0
• google-auth-library: ^10.5.0

Setup

I'm trying to access Google Play Console's exported statistics from the Cloud Storage bucket (pubsite_prod_rev_XXXXX). This bucket is managed by Google/Play Console, not by my GCP project.

Steps I've taken:

1. Created a service account in my GCP project
2. Added the service account email to Play Console under Users and permissions > Invite user
3. Granted "View app information and download bulk reports" permission at the account level (global, not per-app)
4. Using the devstorage.read_only OAuth scope
5. Confirmed the bucket ID from Play Console > Download reports > Copy Cloud Storage URI

Code

import { Storage } from "@google-cloud/storage";
import { google } from "googleapis";

const auth = new google.auth.GoogleAuth({
  keyFile: serviceAccountPath,
  scopes: ["https://www.googleapis.com/auth/devstorage.read_only"],
});

const authClient = await auth.getClient();
const storage = new Storage({ authClient });

const bucket = storage.bucket("pubsite_prod_rev_XXXXX");
const file = bucket.file("stats/installs/installs_com.example.app_202411_overview.csv");
const [content] = await file.download(); // <-- 403 here

Questions for the community

1. Is this expected behavior? Are Google-managed Play Console buckets intentionally blocked from programmatic access via service accounts, even with proper Play Console permissions?

2. Has anyone successfully accessed these buckets programmatically? If so, what additional configuration was required?

3. Is there a different API or approach that should be used for fetching Play Console statistics programmatically? (I know the Play Developer API exists but it doesn't expose install/user statistics—only reviews, subscriptions, etc.)

4. Permission propagation delay? I've waited 24+ hours after granting permissions. Is there a known longer delay for these Google-managed buckets?

Additional context

• The bucket is not owned by my GCP project—it's a Google-managed bucket created by Play Console
• I can manually download these reports through the Play Console web UI
• The service account can authenticate successfully (token is obtained), but the bucket access is denied

Any guidance would be appreciated. Thanks!

[cmw9706]

For anyone else that ends up here. I have no idea why, but storage needs to be instantiated like this.

    const keyFile = JSON.parse(
      require("fs").readFileSync(pathToMyKeyFile, "utf8")
    );

    this.storage = new Storage({
      credentials: {
        client_email: keyFile.client_email,
        private_key: keyFile.private_key,
      },
      projectId: keyFile.project_id,
      scopes: ["https://www.googleapis.com/auth/devstorage.read_only"],
    });