I have a bucket set up in Google Cloud Storage, with the "object default permissions" set to grant the "User" group "allUsers" with permission "Reader".
In the bucket there are a number of files, and I have a client checking if a particular file is present by trying to access it. Most of the time we get a 404 response, but fairly often we see a 403 response for the first few tries.
The 403 response body is (with my own formatting and replacement of private info):
<?xml version='1.0' encoding='UTF-8'?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Anonymous users does not have storage.objects.get access to object mybucket/myfile.gz.</Details>
</Error>
So my question is why do I sometimes get a 403 and sometimes a 404 response when trying to open a file that doesn't exist?
I know that there will be changes from 29 May 2017, but they are not in effect yet, and so it appears that either something is wrong or Google have been randomly applying the new logic early.
I have a definitive answer on this via an email from Google, so I'm giving the response for completeness.
It has been found out that there was a miscommunication between the Engineers. Originally, the changes were supposed to be scheduled on 5/22 but due to some internal delays, they decided to announce it on a later date which is 5/29. Due to this confusion, the Engineers rolled this feature out on the original date (5/22) instead of 5/29.
TL;DR: Google screwed up and rolled out breaking changes a week early.